sbomreport is not CycloneDX compatible #2735
Description
What steps did you take and what happened:
- Obtain a
sbomreportwithkubectl get -n dtrack sbomreports.aquasecurity.github.io statefulset-7c47f7df86 -o=jsonpath='{.report.components}' > mysbom.json.cdx(this is a scan of dependencytrack/apiserver:4.13.3) - Try to upload it to dependency-track. Here I get an error for some sboms, that they are invalid.
This seems to happen, because some components inside the sbom have the following licenses field (here shown in yaml for better readability):
- expression: GPL-3.0-or-later WITH texinfo-exception
license: {}This is invalid as the licenses can either contain a SPDX-License-Expression or a license object.
Here is an example of two valid Licenses:
- license:
id: GPL-2.0-or-later
- license:
name: MIT-US-exportYou can find the related CycloneDX spec here: https://cyclonedx.org/docs/1.6/json/#components_items_licenses
What did you expect to happen:
I expect to find a valid CycloneDX under .report.components which either uses the license object or an SPDX License Expression for the licenses field under components (starting from the CycloneDX file, not the CRD, .components.licenses).
Anything else you would like to add:
I think that the CRD should be modified to use oneOf, see the following patch:
@@ -1,4 +1,3 @@
----
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@@ -127,6 +126,11 @@ spec:
type: string
type: object
type: object
+ oneOf:
+ - properties:
+ required: ["expression"]
+ - properties:
+ required: ["license"]
type: array
name:
type: string
@@ -210,6 +214,11 @@ spec:
type: string
type: object
type: object
+ oneOf:
+ - properties:
+ required: ["expression"]
+ - properties:
+ required: ["license"]
type: array
name:
type: string
@@ -284,6 +293,11 @@ spec:
type: string
type: object
type: object
+ oneOf:
+ - properties:
+ required: ["expression"]
+ - properties:
+ required: ["license"]
type: array
name:
type: stringWhen applying this the operator will fail to create the affected sboms, as they're compliant with the crd anymore.
This probably although not sure could affect the clustersbomreports too.
Interestingly this doesn't seem to happen with trivy image -f cyclonedx.
Environment:
- Trivy-Operator version (use
trivy-operator version):"buildInfo":{"Version":"0.28.0","Commit":"c4d544125354c5a5c0d1403ae5fe44380b7d979d","Date":"2025-08-06T05:09:32Z","Executable":""} - Kubernetes version (use
kubectl version):Server Version: v1.30.5