┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Defect Number ┃ Defects Same Cwe ┃ Defects Same Location ┃ Defects Same Location Same Cwe ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 2 │ ~0.0 │ 0 │ 0 │
└───────────────┴──────────────────┴───────────────────────┴────────────────────────────────┘
┏━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Location ┃ SAST ┃ CWE ┃ Message ┃
┡━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 78 │ SpotBugs │ CWE-611 │ XML schema processing vulnerable to XXE │
├──────────┼──────────┼─────────┼─────────────────────────────────────────┤
│ 94 │ SpotBugs │ CWE-611 │ XML schema processing vulnerable to XXE │
└──────────┴──────────┴─────────┴─────────────────────────────────────────┘
1 /*
2 * This file is part of CycloneDX Core (Java).
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * Copyright (c) Steve Springett. All Rights Reserved.
17 */
18 package org.cyclonedx;
19
20 import org.xml.sax.SAXException;
21 import javax.xml.XMLConstants;
22 import javax.xml.transform.Source;
23 import javax.xml.transform.stream.StreamSource;
24 import javax.xml.validation.Schema;
25 import javax.xml.validation.SchemaFactory;
26
27 /**
28 * CycloneDxSchema is a base class that provides schema information to
29 * {@link BomGenerator10} and {@link BomParser}. The class can be extended
30 * for other implementations as well.
31 * @since 1.1.0
32 */
33 public abstract class CycloneDxSchema {
34
35 public static final String NS_BOM_10 = "http://cyclonedx.org/schema/bom/1.0";
36 public static final String NS_BOM_11 = "http://cyclonedx.org/schema/bom/1.1";
37 public static final String NS_BOM_LATEST = NS_BOM_11;
38
39 public enum Version {
40 VERSION_10(CycloneDxSchema.NS_BOM_10),
41 VERSION_11(CycloneDxSchema.NS_BOM_11);
42 private String namespace;
43 public String getNamespace() {
44 return this.namespace;
45 }
46 Version(String namespace) {
47 this.namespace = namespace;
48 }
49 }
50
51 /**
52 * Returns the CycloneDX XML Schema for the specified schema version.
53 * @param schemaVersion The version to return the schema for
54 * @return a Schema
55 * @throws SAXException a SAXException
56 * @since 2.0.0
57 */
58 public Schema getXmlSchema(CycloneDxSchema.Version schemaVersion) throws SAXException {
59 if (CycloneDxSchema.Version.VERSION_10 == schemaVersion) {
60 return getXmlSchema10();
61 } else {
62 return getXmlSchema11();
63 }
64 }
65 /**
66 * Returns the CycloneDX XML Schema from the specifications XSD.
67 * @return a Schema
68 * @throws SAXException a SAXException
69 * @since 1.1.0
70 */
71 private Schema getXmlSchema10() throws SAXException {
72 final SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
73 // Use local copies of schemas rather than resolving from the net. It's faster, and less prone to errors.
74 final Source[] schemaFiles = {
75 new StreamSource(this.getClass().getClassLoader().getResourceAsStream("spdx.xsd")),
76 new StreamSource(this.getClass().getClassLoader().getResourceAsStream("bom-1.0.xsd"))
77 };
78 return schemaFactory.newSchema(schemaFiles);
79 }
80
81 /**
82 * Returns the CycloneDX XML Schema from the specifications XSD.
83 * @return a Schema
84 * @throws SAXException a SAXException
85 * @since 2.0.0
86 */
87 private Schema getXmlSchema11() throws SAXException {
88 final SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
89 // Use local copies of schemas rather than resolving from the net. It's faster, and less prone to errors.
90 final Source[] schemaFiles = {
91 new StreamSource(this.getClass().getClassLoader().getResourceAsStream("spdx.xsd")),
92 new StreamSource(this.getClass().getClassLoader().getResourceAsStream("bom-1.1.xsd"))
93 };
94 return schemaFactory.newSchema(schemaFiles);
95 }
96 }
97