Skip to content

feat(material): enable no strict validation for cyclonedx sbom #2722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Piskoo merged 6 commits into from
Feb 10, 2026
Merged

feat(material): enable no strict validation for cyclonedx sbom #2722

Piskoo merged 6 commits into from
Feb 10, 2026
+156 −13

Conversation

@Piskoo
Copy link
Collaborator

@Piskoo Piskoo commented Feb 10, 2026
edited
Loading

Summary

  • Added --no-strict-validation flag to attestation add command to allow bypassing JSON schema validation for CycloneDX SBOMs
  • Added minimal type detection using the three required top-level CycloneDX fields (bomFormat, specVersion, version) per the CycloneDX spec
  • When flag is enabled, schema validation errors are logged as warnings instead of failing. The file still gets uploaded, if minimal type detection was passed kind will be auto-detected
$ chainloop att add --value sbom.json --kind SBOM_CYCLONEDX_JSON --name sbom --no-strict-validation
WRN error decoding file, strict validation disabled, continuing error="jsonschema:  ...
INF uploading sbom.json - sha256:3dd44aa6515568349d73204c38dad0f4113c95234af2f5fe84c8eeed952262f8
INF material added to attestation
┌─────────────┬─────────────────────────────────────────────────────────────────────────┐
│ Name        │ sbom                                                                    │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Type        │ SBOM_CYCLONEDX_JSON                                                     │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
...

Closes #2723

@Piskoo
introduce no strict validation
c4e7cc4 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo
lint
a1676f3 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo
rename param; change flag desc
5c2a47e 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo changed the title feat(material): enable no strict validation for cdx sbom feat(material): enable no strict validation for cyclonedx sbom Feb 10, 2026
@Piskoo Piskoo marked this pull request as ready for review February 10, 2026 12:35
migmartri
migmartri reviewed Feb 10, 2026
View reviewed changes
@Piskoo
update flag desc
8a9bc2c 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo
change flag desc
380c031 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo requested a review from migmartri February 10, 2026 13:09
migmartri
migmartri reviewed Feb 10, 2026
View reviewed changes
@Piskoo
log hint when schema validation fails
d818883 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo requested a review from migmartri February 10, 2026 13:47
migmartri
migmartri approved these changes Feb 10, 2026
View reviewed changes
@Piskoo Piskoo merged commit a685d02 into chainloop-dev:main Feb 10, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add option to skip schema validation for CycloneDX SBOMs

2 participants

@Piskoo @migmartri