Broken test data in valid-service-1.x.json

[tokcum]

Hi,

working on cyclonedx-rust-cargo to support 1.4 I'm experiencing failed integration tests when verifying against valid-service-1.4.json while valid-service-1.4.xml just works.

The error tells me that a dependency references a bom which is not available in the file. Comparing the JSON to the XML file, I found that in JSON, the bom-ref is different. Setting the bom-ref to the value referenced in ref (like it is in XML), the test works fine.

"components": [
    {
      "bom-ref": "pkg:npm/acme/[email protected]",
      [...]

"dependencies": [
    {
      "ref": "pkg:maven/com.acme/[email protected]",

In XML it looks like this:

<components>
        <component type="library" bom-ref="pkg:maven/com.acme/[email protected]">
        [...]

<dependencies>
        <dependency ref="pkg:maven/com.acme/[email protected]">

It looks like this derivation existed from the very beginning of the test data. So, maybe I'm missing something or the implementation in cyclonedx-rust-cargo is stricter than other projects using the spec's test data.

I've prepared a fix in my own fork. If my analysis above is correct, let me know. I will create a pull request. Thanks.

[jkowalleck]

Thank you very much for the report, @tokcum .

I've prepared a fix in my own fork. If my analysis above is correct, let me know. I will create a pull request. Thanks.

Could you link the fixed version you used?
Or even provide a pullrequest wit the fix that worked for you?

Having the diff as a working "expected input" would help analyze the issue.

[tokcum]

@jkowalleck, great. I've created a PR.

[jkowalleck]

✔️ issue was validated
🏁 issue was fixed via #295
🏁 fix was forward-ported to v1.6 via #297