feat: Add XML schema validation (Fixes #1507) (#1544)

Author: anthonyharrison

README.md

@@ -109,6 +109,8 @@ Usage:
       -V, --version         show program's version number and exit
       --disable-version-check
                             skips checking for a new version
+      --disable-validation-check
+                            skips checking xml files against schema
       --offline             operate in offline mode							
 
     CVE Data Download:

cve_bin_tool/checkers/xml2.py

@@ -60,7 +60,7 @@ def guess_xml2_version(lines):
                 new_guess2 = match.group(1).strip()
                 if len(new_guess2) > len(new_guess):
                     new_guess = new_guess2
-        # If no version guessed, set version to UNKNOWN
+        # If no version guessed, set version to "UNKNOWN"
         return new_guess or "UNKNOWN"
 
     def get_version(self, lines, filename):

cve_bin_tool/cli.py

@@ -261,6 +261,11 @@ def main(argv=None):
         help="skips checking for a new version",
         default=False,
     )
+    parser.add_argument(
+        "--disable-validation-check",
+        action="store_true",
+        help="skips checking xml files against schema",
+    )
     parser.add_argument(
         "--offline",
         action="store_true",
@@ -556,6 +561,7 @@ def main(argv=None):
                 should_extract=args["extract"],
                 exclude_folders=args["exclude"],
                 error_mode=error_mode,
+                validate=not args["disable_validation_check"],
             )
             version_scanner.remove_skiplist(skips)
             LOGGER.info(f"Number of checkers: {version_scanner.number_of_checkers()}")
@@ -576,7 +582,10 @@ def main(argv=None):
         if args["sbom_file"]:
             # Process SBOM file
             sbom_list = SBOMManager(
-                args["sbom_file"], sbom_type=args["sbom"], logger=LOGGER
+                args["sbom_file"],
+                sbom_type=args["sbom"],
+                logger=LOGGER,
+                validate=not args["disable_validation_check"],
             )
             parsed_data = sbom_list.scan_file()
             LOGGER.info(

cve_bin_tool/sbom_manager/__init__.py

@@ -1,6 +1,7 @@
 # Copyright (C) 2021 Anthony Harrison
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import os
 from collections import defaultdict
 from logging import Logger
 from typing import DefaultDict, Dict, List, Optional
@@ -24,35 +25,39 @@ class SBOMManager:
     sbom_data: DefaultDict[ProductInfo, TriageData]
 
     def __init__(
-        self, filename: str, sbom_type: str = "spdx", logger: Optional[Logger] = None
+        self,
+        filename: str,
+        sbom_type: str = "spdx",
+        logger: Optional[Logger] = None,
+        validate: bool = True,
     ):
         self.filename = filename
         self.sbom_data = defaultdict(dict)
         self.type = "unknown"
         if sbom_type in self.SBOMtype:
             self.type = sbom_type
         self.logger = logger or LOGGER.getChild(self.__class__.__name__)
+        self.validate = validate
 
         # Connect to the database
         self.cvedb = CVEDB(version_check=False)
 
     def scan_file(self) -> Dict[ProductInfo, TriageData]:
         LOGGER.info(f"Processing SBOM {self.filename} of type {self.type.upper()}")
+        modules = []
         try:
-            if self.type == "spdx":
-                spdx = SPDXParser()
-                modules = spdx.parse(self.filename)
-            elif self.type == "cyclonedx":
-                cyclone = CycloneParser()
-                modules = cyclone.parse(self.filename)
-            elif self.type == "swid":
-                swid = SWIDParser()
-                modules = swid.parse(self.filename)
-            else:
-                modules = []
+            if os.path.exists(self.filename):
+                if self.type == "spdx":
+                    spdx = SPDXParser(self.validate)
+                    modules = spdx.parse(self.filename)
+                elif self.type == "cyclonedx":
+                    cyclone = CycloneParser(self.validate)
+                    modules = cyclone.parse(self.filename)
+                elif self.type == "swid":
+                    swid = SWIDParser(self.validate)
+                    modules = swid.parse(self.filename)
         except (KeyError, FileNotFoundError, ET.ParseError) as e:
             LOGGER.debug(e, exc_info=True)
-            modules = []
 
         LOGGER.debug(
             f"The number of modules identified in SBOM - {len(modules)}\n{modules}"

cve_bin_tool/sbom_manager/cyclonedx_parser.py

@@ -6,10 +6,12 @@
 
 import defusedxml.ElementTree as ET
 
+from cve_bin_tool.validator import validate_cyclonedx
+
 
 class CycloneParser:
-    def __init__(self):
-        pass
+    def __init__(self, validate: bool = True):
+        self.validate = validate
 
     def parse(self, sbom_file: str) -> List[List[str]]:
         """parses CycloneDX BOM file extracting package name and version"""
@@ -35,15 +37,16 @@ def parse_cyclonedx_json(self, sbom_file: str) -> List[List[str]]:
 
     def parse_cyclonedx_xml(self, sbom_file: str) -> List[List[str]]:
         """parses CycloneDX XML BOM file extracting package name and version"""
-
+        modules: List[List[str]] = []
+        if self.validate and not validate_cyclonedx(sbom_file):
+            return modules
         tree = ET.parse(sbom_file)
         # Find root element
         root = tree.getroot()
         # Extract schema
         schema = root.tag[: root.tag.find("}") + 1]
         # schema = '{http://cyclonedx.org/schema/bom/1.3}'
-
-        modules: List[List[str]] = []
+        print("Schema", schema)
         for components in root.findall(schema + "components"):
             for component in components.findall(schema + "component"):
                 # Only if library....
@@ -58,10 +61,8 @@ def parse_cyclonedx_xml(self, sbom_file: str) -> List[List[str]]:
                     if component_version is None:
                         raise KeyError(f"Could not find version in {component}")
                     version = component_version.text
-                    if version is None:
-                        raise KeyError(f"Could not find version in {component}")
-                    modules.append([package, version])
-
+                    if version is not None:
+                        modules.append([package, version])
         return modules
 
 

cve_bin_tool/sbom_manager/spdx_parser.py

@@ -9,11 +9,12 @@
 import yaml
 
 from cve_bin_tool.log import LOGGER
+from cve_bin_tool.validator import validate_spdx
 
 
 class SPDXParser:
-    def __init__(self):
-        pass
+    def __init__(self, validate: bool = True):
+        self.validate = validate
 
     def parse(self, sbom_file: str) -> List[List[str]]:
         """parses SPDX BOM file extracting package name and version"""
@@ -113,12 +114,15 @@ def parse_spdx_yaml(self, sbom_file: str) -> List[List[str]]:
     def parse_spdx_xml(self, sbom_file: str) -> List[List[str]]:
         """parses SPDX XML BOM file extracting package name and version"""
         # XML is experimental in SPDX 2.2
+        modules: List[List[str]] = []
+        if self.validate and not validate_spdx(sbom_file):
+            return modules
         tree = ET.parse(sbom_file)
         # Find root element
         root = tree.getroot()
         # Extract schema
         schema = root.tag[: root.tag.find("}") + 1]
-        modules: List[List[str]] = []
+
         for component in root.findall(schema + "packages"):
             try:
                 package_match = component.find(schema + "name")

cve_bin_tool/sbom_manager/swid_parser.py

@@ -5,22 +5,24 @@
 
 import defusedxml.ElementTree as ET
 
+from cve_bin_tool.validator import validate_swid
+
 
 class SWIDParser:
-    def __init__(self):
-        pass
+    def __init__(self, validate: bool = True):
+        self.validate = validate
 
     def parse(self, sbom_file: str) -> List[List[str]]:
         """parses SWID XML BOM file extracting package name and version"""
-
+        modules: List[List[str]] = []
+        if self.validate and not validate_swid(sbom_file):
+            return modules
         tree = ET.parse(sbom_file)
         # Find root element
         root = tree.getroot()
         # Extract schema
         schema = root.tag[: root.tag.find("}") + 1]
         # schema = '{http://standards.iso.org/iso/19770/-2/2015/schema.xsd}'
-
-        modules: List[List[str]] = []
         for component in root.findall(schema + "Link"):
             # Only if a component ....
             if component.get("rel") == "component":

cve_bin_tool/schemas/README.txt

@@ -0,0 +1,10 @@
+The cyclconedx_gen.xsd is an amalgamation of cyclonedx.xsd and cyclonedx_spdx.xsd. References
+to spdx namespace in the cyclonedx.xsd is changed to bom.
+
+The spdx.xsd has been generated from the test XML files as there is no official XSD schema.
+
+The swid_gen.xsd has been generated from the test XML files as the official XSD schema (swid.xsd)
+contains entities which are unsafe when parsed.
+
+The pom.xsd file has been modified to ensure that all HTML tags have matching closure tags.
+