Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword #280

Open
hboutemy opened this issue Mar 30, 2023 · 12 comments
Labels
bug Something isn't working

Comments

@hboutemy
Copy link
Contributor

warning that appears in cyclone-dx-maven plugin when validating the json SBOM that just has been generated: see CycloneDX/cyclonedx-maven-plugin#305

it seems this is a problem when parsing the json schema https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/bom-1.4.schema.json

@eero-vaarnas
Copy link

Any means to circumvent this problem?

@stevespringett
Copy link
Member

Likely caused by minor technical defects in prior schemas. These warnings can simply be ignored. I believe we have eliminated these issues in v1.5

@Bukama
Copy link

Bukama commented Aug 16, 2023

Likely caused by minor technical defects in prior schemas. These warnings can simply be ignored. I believe we have eliminated these issues in v1.5

It stills occures with current core version (7.3.2 used by Maven CycloneDX-Plugin 2.7.9, released May 2023). So it was not fixed in 7.1.5 :/

@stevespringett
Copy link
Member

@Bukama we never said it was fixed in cyclonedx-core-java. What was said was that we have fixed the issue in v1.5 of the CycloneDX schema. We have yet to release a version of cyclonedx-core-java that supports the v1.5 schema, but we're close to doing so. The next point release will include support for the v1.5 schema, so generating BOMs with that schema should not yield any warnings, however generating BOMs targeting CycloneDX v1.4 will continue to generate the warnings (as expected).

@Bukama
Copy link

Bukama commented Aug 17, 2023

@Bukama we never said it was fixed in cyclonedx-core-java. What was said was that we have fixed the issue in v1.5 of the CycloneDX schema. We have yet to release a version of cyclonedx-core-java that supports the v1.5 schema, but we're close to doing so. The next point release will include support for the v1.5 schema, so generating BOMs with that schema should not yield any warnings, however generating BOMs targeting CycloneDX v1.4 will continue to generate the warnings (as expected).

Thanks for the clarification. I understood your comment as a reference to the 7.1.5 version, my bad!

@rmannibucau
Copy link

Hi, still happens in maven plugin 2.7.11 with core 8.0.3. Any hope we can get it fixed soon?

@hboutemy
Copy link
Contributor Author

@rmannibucau maven plugin 2.7.11 does not use core 8 but 7: maven 2.8 will use code 8, currently available as SNAPSHOT only

@rmannibucau
Copy link

Thanks @hboutemy , I can confirm there is no more warning with the snapshot.
Any release date?

@hboutemy
Copy link
Contributor Author

it should come soon, a few improvements to add before

@garydgregory
Copy link

Is there a status update available please?

@hboutemy
Copy link
Contributor Author

hboutemy commented Nov 5, 2024

just tested with cyclonedx-core-java 9.1.0, still same warning on keywords meta:enum and deprecated

  • symptoms:
git clone https://gitbox.apache.org/repos/asf/commons-cli
cd commons-cli
mvn clean verify -Dcommons.cyclonedx.version=2.9.1-SNAPSHOT -DskipTests

...

[INFO] --- cyclonedx:2.9.1-SNAPSHOT:makeAggregateBom (build-sbom-cyclonedx) @ commons-cli ---
[INFO] CycloneDX: Resolving Dependencies
[INFO] CycloneDX: Creating BOM version 1.6 with 0 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): /Users/hboutemy/dev/git/commons-cli/target/commons-cli-1.10.0-SNAPSHOT-bom.xml
[INFO]            attaching as commons-cli-1.10.0-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): /Users/hboutemy/dev/git/commons-cli/target/commons-cli-1.10.0-SNAPSHOT-bom.json
[WARNING] Unknown keyword meta:enum - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword or if it should generate annotations AnnotationKeyword
[WARNING] Unknown keyword deprecated - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword or if it should generate annotations AnnotationKeyword
[INFO]            attaching as commons-cli-1.10.0-SNAPSHOT-cyclonedx.json

I still don't get how to improve cyclonedx-core-java:
I find 12 deprecated and 32 meta:enum in https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/bom-1.6.schema.json

should this schema be updated? should the code be updated to not warn on such case? how?
guidance appreciated

@stevespringett
Copy link
Member

meta:enum is a workaround for limitations in JSON schema. It is supported by Adobe and many other third-party tools, however, it is not part of JSON Schema. There is a possibility that other meta:* may be used in future versions of the specification. IMO, you may want to suppress these warnings that are known and will not be removed from the specification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

7 participants