fix: allow valid cyclonedx input with no components (#1873)

fix: allow valid cyclonedx input with no components --------- Signed-off-by: James Neate <jamesmneate@gmail.com> Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
anchore · Jul 11, 2023 · 5a7c200 · 5a7c200
1 parent 72616db
commit 5a7c200
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/syft/formats/common/cyclonedxhelpers/decoder.go b/syft/formats/common/cyclonedxhelpers/decoder.go
@@ -3,6 +3,7 @@ package cyclonedxhelpers
 import (
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/CycloneDX/cyclonedx-go"
 
@@ -15,15 +16,18 @@ import (
 	"github.com/anchore/syft/syft/source"
 )
 
+const cycloneDXXmlSchema = "http://cyclonedx.org/schema/bom"
+
 func GetValidator(format cyclonedx.BOMFileFormat) sbom.Validator {
 	return func(reader io.Reader) error {
 		bom := &cyclonedx.BOM{}
 		err := cyclonedx.NewBOMDecoder(reader, format).Decode(bom)
 		if err != nil {
 			return err
 		}
-		// random JSON does not necessarily cause an error (e.g. SPDX)
-		if (cyclonedx.BOM{} == *bom || bom.Components == nil) {
+
+		xmlWithoutNS := format == cyclonedx.BOMFileFormatXML && !strings.Contains(bom.XMLNS, cycloneDXXmlSchema)
+		if (cyclonedx.BOM{} == *bom || bom.Components == nil || xmlWithoutNS) {
 			return fmt.Errorf("not a valid CycloneDX document")
 		}
 		return nil