Documentation for custom.json

[ghost]

Is there a documentation for making a custom.json?

[mrutkows]

Hi @macariem, I decided to rethink the experimental "custom" validation in favor of a (future) implementation of OWASP Software Component Verification Standard (SCVS) and its planned "maturity model profiles" (see https://scvs.owasp.org/ and profile example: https://scvs.owasp.org/bom-maturity-model/profiles/examples/ntia-minimum-elements/).

In truth, what I coded was based upon rules for SBOM construction/contents we set within my company, IBM, which I was not sure extended as a general rule to everyone. In fact, we can achieve most of IBM's needs with the utility using a custom JSON schema along with the new "patch" command to test for required values.

The custom validation functionality is still in the code, but I removed any draft docs hoping to revisit it for a near-future release. I would welcome hearing of what custom validation (use cases) you may have so that I can factor them in future plans (and test for them when I get around to coding).

Thanks for the issue and I truly welcome any dialog on the topic :)

[ghost]

I want to perform extra validation as follows:

• Add extra required fields in the validation
• Add extra required fields depending on an if-condition. E.g.: Make supplier and description fields mandatory if the license is a proprietary one from our company

[mrutkows]

@macariem Thanks for sharing your use cases. Just wanted to share some initial thoughts on them...

Add extra required fields in the validation

Yes, this is common and one I have... in order to accomplish this, I create a custom JSON schema (variant) file based upon the base CycloneDX schema file and add it to sbom-utility (see https://github.com/CycloneDX/sbom-utility?tab=readme-ov-file#example-validate-using-custom-schema-variants). It can be referenced using the --variant flag on validate and added to config.json as described here: https://github.com/CycloneDX/sbom-utility?tab=readme-ov-file#adding-new-sbom-formats-schema-versions-and-variants (edit the sample config.json from this repo.).

Add extra required fields depending on an if-condition.

The addition of conditional logic would be very valuable indeed. However, JSON schema (or even XML schema) cannot easily accomplish this for various reasons (e.g., arrays entries are allowed to not be unique/no unique keys and ordering not guaranteed)... The aforementioned OWASP SCVS standard (which addresses maturity/policy MAY be able to eventually handle such use cases. In any event, the "custom" validation code never was able to support conditional logic (since it is not supported in JSON schema).

[mrutkows]

I want to perform extra validation as follows:
* Add extra required fields in the validation

Have you tried the --force flag where you can supply your own JSON schema with whatever extra requirements you can define using JSON schema? Should have thought of this as perhaps a partial solution for you (now that I just added remote URI support for loading remote JSON schema).