XML serialization of components with authors results in invalid CycloneDX SBOM

[MarcelBochtler]

When using cyclonedx-core-java to write a CycloneDX SBOM as an XML, the resulting SBOM is invalid.

Expected:

  <components>
    <component type="library" bom-ref="Maven:me.xdrop:fuzzywuzzy:1.4.0">
      <authors>
        <author>
          <name>Panayiotis P</name>
        </author>
      </authors>
    </component>
  </components>

Actual:

  <components>
    <component type="library" bom-ref="Maven:me.xdrop:fuzzywuzzy:1.4.0">
      <authors>
        <authors>
          <name>Panayiotis P</name>
        </authors>
      </authors>
    </component>
  </components>

Note the plural of authors in the nested tag.

The spec, and also the cyclonedx-cli show that the nested block should be author instead of authors.

We discovered this when generating CycloneDX reports using ORT, which uses cyclonedx-core-java.
In ORT I wrote a test to reproduce this issue: oss-review-toolkit/ort#10271.

[sschuberth]

Any clue what's going wrong here, @mr-zepol?

[mr-zepol]

Any clue what's going wrong here, @mr-zepol?

I would take a look at this

[mr-zepol]

Any clue what's going wrong here, @mr-zepol?

I think I found the reason, it's because in the spec for previous reasons we have author as a single object String, and with 1.6 authors (now a list) was introduced and the serializer gets confused.

I will see if there's an easy way to fix this keeping backwards compatibility.

[mnonnenmacher]

@mr-zepol Did you have a chance to take a look?

[MarcelBochtler]

@mr-zepol Do you have an update?

[sschuberth]

Just to note this has not been fixed with CycloneDX 11.0.0.

[btzdnl]

This also breaks deserialization, if I understand this error correctly:

Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `java.util.ArrayList<org.cyclonedx.model.OrganizationalContact>` from Object value (token `JsonToken.START_OBJECT`)
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.cyclonedx.model.Bom["components"]->java.util.ArrayList[0]->org.cyclonedx.model.Component["components"]->java.lang.Object[][0]->org.cyclonedx.model.Component["authors"])

(This is a merge between two SBOMs, hence the nesting)

<?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:94ff6da4-46b7-476f-af5f-24221cc8a1f2" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
  <metadata><!-- ... --></metadata>
  <components>
    <component type="application" bom-ref="Backend@0.0.0:TheApplication@0.0.0">
      <name>Backend</name>
      <version>0.0.0</version>
      <components>
        <component type="library" bom-ref="Backend@0.0.0:pkg:nuget/CsvHelper@33.1.0">
          <authors>
            <author>
              <name>Josh Close</name>
            </author>
          </authors>
          <name>CsvHelper</name>
          <!-- ... -->
        </component>
        <!-- ... -->
      </components>
    </component>
    <!-- ... -->
  </components>
</bom>

It works with an unmerged SBOM for whatever reason.