Cyclonedx SBOM files do not pass cyclonedx cli validate command when SMAIL-GPL included as licenses

Diamantis_Sellis · September 5, 2025, 7:44am

I am using syft version 1.32.0 to scan docker images but the resulting files do not pass validation by dependency-tracker nor by the cyclonedx-cli, so I can’t really use them, e.g. :

$> syft scan docker:nginx -o cyclonedx-json >sbom.json
$>  cyclonedx validate --input-file temp.json          
Validation failed:
Expected 1 matching subschema but found 0
http://cyclonedx.org/schema/bom-1.6.schema.json#/definitions/licenseChoice
On instance: /components/12/licenses:
[{"license":{"id":"GPL-2.0-only"}},{"license":{"id":"GPL-2.0-or-later"}},{"license":{"id":"SMAIL-GPL"}},{"license":{"name":"public-domain"}}]
Value should have at most 1 items
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1
[...]
Unable to validate against any JSON schemas.
BOM is not valid.

From what I understand I would need to modify the sbom file after generation to fix the license issues in a post process step, but I was wondering if there is a simpler solution around this problem?

willmurphy · September 5, 2025, 5:21pm

Hi @Diamantis_Sellis,

It looks to me like maybe there are some SPDX expressions Syft uses that CycloneDX doesn’t accept.

Here’s a one line repro script that might help people investigating in the future:

syft -o cyclonedx-json docker:nginx:latest | docker run -i --platform linux/amd64 cyclonedx/cyclonedx-cli:latest validate --input-format json

Based on the complaints, it looks to me like there are several ways of representing licenses in CycloneDX JSON, and Syft doesn’t seem always to choose the right one: CycloneDX v1.6 JSON Reference

We’ll take a look. Thanks for the report!

spiffcs · September 5, 2025, 5:38pm

@Diamantis_Sellis

I think cyclonedx and dependency-tracker need to roll forward in their schema validation here.

If you remove this item from the license list then the document becomes “valid” (note I think it’s insane that you should have to remove this item for a valid document but that’s besides the point). You can also change “id“ → “name“ for SMAIL-GPL and see a valid document as well (also insane).

    {
      "license": {
        "id": "SMAIL-GPL"
      }
    },

After removing the `SMAIL-GPL` licenses from .components[12] or changing id → name the tool runs “successfully“

cat test.json | docker run -i --platform linux/amd64 cyclonedx/cyclonedx-cli:latest validate --input-format json
BOM validated successfully.

This is a valid spdx license ID. See list below and ctrl-f “SMAIL-GPL“

Syft generates documents with licenses that are valid SPDX ID. The only way for that “id“: “<SPDX-ID>“field to be populated is if it comes from here which we generate from the spdx license list.

github.com/anchore/syft

internal/spdxlicense/license_list.go

main

// Code generated by go generate; DO NOT EDIT.
// This file was generated by robots at 2025-08-12 14:01:18.565303 -0400 EDT m=+0.306214043
// using data from https://spdx.org/licenses/licenses.json
package spdxlicense

const Version = "3.27.0"

var licenseIDs = map[string]string{
	"0bsd":                                  "0BSD",
	"3.0.0dslicer1.0":                       "3D-Slicer-1.0",
	"3.0dslicer1.0":                         "3D-Slicer-1.0",
	"3dslicer1.0":                           "3D-Slicer-1.0",
	"aal":                                   "AAL",
	"abstyles":                              "Abstyles",
	"adacoredoc":                            "AdaCore-doc",
	"adobe2006":                             "Adobe-2006",
	"adobe2006.0":                           "Adobe-2006",
	"adobe2006.0.0":                         "Adobe-2006",
	"adobedisplaypostscript":                "Adobe-Display-PostScript",
	"adobeglyph":                            "Adobe-Glyph",

This file has been truncated. show original

Cyclone-DX and dependency track need to make sure their enums for validation ALSO are tracking valid IDs and keeping up to date with the spdx licenses list above.

Their validation output is very confusing and non intuitive, but basically you need to start from the bottom, “fix“ that suggestion, and see if the other logs above it were noise caused by the initial validation error.

On instance: /components/12/licenses/2/license:
{"id":"SMAIL-GPL"}
Value should match one of the values specified by the enum
http://cyclonedx.org/schema/spdx.schema.json
On instance: /components/12/licenses/2/license/id:
SMAIL-GPL
Unable to validate against any JSON schemas.
BOM is not valid.

Their current schema includes this as a valid ID so I’m not sure why their validation tooling or dependency track are out of sync with these enums:

https://cyclonedx.org/schema/spdx.xsd

I’m actually very confused here since: https://cyclonedx.org/schema/spdx.schema.json includes the correct ID, but the validator tooling says the below error, which is triggering the “invalid“ state.

I’ve filed an issue with their CLI team. I think someone should also file one with dependency track as well.

{“id”:“SMAIL-GPL”}
Value should match one of the values specified by the enum (see above link)
On instance: /components/12/licenses/2/license/id:
SMAIL-GPL
Unable to validate against any JSON schemas.
BOM is not valid.

If I have some time later I’ll dig into the validator code on the cyclonedx cli side and see why it’s not resolving the latest SPDX list they have at runtime and where it’s getting the outdated data from.

spiffcs · September 5, 2025, 6:11pm

See my above comment - I followed up with their validator tool here:

github.com/CycloneDX/cyclonedx-cli

bug: SMAIL-GPL causing validate to fail

opened 06:11PM - 05 Sep 25 UTC

spiffcs

👋 Sorry if this is being handled in another thread. I tried to find all coverage… of current licenses issues and didn't see this one. ### Reproduction You might need to modify the platform flag for your local on the below: ``` syft -o cyclonedx-json docker:nginx:latest | docker run -i --platform linux/amd64 cyclonedx/cyclonedx-cli:latest validate --input-format json On instance: /components/12/licenses/2/license: {"id":"SMAIL-GPL"} Value should match one of the values specified by the enum http://cyclonedx.org/schema/spdx.schema.json On instance: /components/12/licenses/2/license/id: SMAIL-GPL Unable to validate against any JSON schemas. BOM is not valid. ``` After removing the SMAIL-GPL License from the SBOM in component[12]: ``` cat new.json | docker run -i --platform linux/amd64 cyclonedx/cyclonedx-cli:latest validate --input-format json BOM validated successfully. ``` I'm not sure which version of `http://cyclonedx.org/schema/spdx.schema.json` the validator is pulling from since I do see `SMAIL-GPL` included there. If this is fixed by doing a new release then no harm no foul I'll close the issue when the new release comes out 😄 Also. I did notice how this issue then caused a TON of noise above it. Here is the full output of the error: ``` On instance: /components/12/licenses: [{"license":{"id":"GPL-2.0-only"}},{"license":{"id":"GPL-2.0-or-later"}},{"license":{"id":"SMAIL-GPL"}},{"license":{"name":"public-domain"}}] Value should have at most 1 items http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1 On instance: /components/12/licenses: [{"license":{"id":"GPL-2.0-only"}},{"license":{"id":"GPL-2.0-or-later"}},{"license":{"id":"SMAIL-GPL"}},{"license":{"name":"public-domain"}}] Required properties ["expression"] are not present http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1/items/0 On instance: /components/12/licenses/0: {"license":{"id":"GPL-2.0-only"}} All values fail against the false schema http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1/additionalItems On instance: /components/12/licenses/1: {"license":{"id":"GPL-2.0-or-later"}} All values fail against the false schema http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1/additionalItems On instance: /components/12/licenses/2: {"license":{"id":"SMAIL-GPL"}} All values fail against the false schema http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1/additionalItems On instance: /components/12/licenses/3: {"license":{"name":"public-domain"}} All values fail against the false schema http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1/items/0/additionalProperties On instance: /components/12/licenses/0/license: {"id":"GPL-2.0-only"} Required properties ["name"] are not present http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1 On instance: /components/12/licenses/2/license: {"id":"SMAIL-GPL"} Value should match one of the values specified by the enum http://cyclonedx.org/schema/spdx.schema.json On instance: /components/12/licenses/2/license/id: SMAIL-GPL Unable to validate against any JSON schemas. BOM is not valid. ``` The logic basically keys on SMAIL-GPL not being a valid spdx-id, and then because of that it invalidates all other entries as failing against the schema for one reason or another ☹️ --- I think there might be some ways to clean this up, but defer to the maintainers here on what they think the best presentation of errors like this should be.

spiffcs · September 5, 2025, 6:48pm

Validation fails on valid SBOMs because of license fields

opened 11:40AM - 02 Sep 25 UTC

elastic-pangolin

defect in triage

### Current Behavior Dependency-Track stopped accepting SBOMs for some of my co…ntainers created with trivy and syft, I imaginge the same errors occur for other cycloneDX-compliant SBOM tools. The minimal example SBOMs that cause these errors are: **for trivy** [fail-sbom-trivy.json](https://github.com/user-attachments/files/22093190/fail-sbom-trivy.json) (line 249: using the CycloneDX-compliant field "expression", which contains a SPDX license expression as a string, doc here: https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf page 42) **for syft:** [fail-sbom-syft.json](https://github.com/user-attachments/files/22093109/fail-sbom-syft.json) (line 46: using a license ID that is listed in https://spdx.github.io/license-list-data/, but is missing from internal dtrack sources, aparently) ### Steps to Reproduce 1.Upload any of the two BOMs show to dtrack 4.12.2 or later 2. Receive errors: (trivy expression) `{"status":400,"title":"The uploaded BOM is invalid","detail":"Schema validation failed","errors":["$.components[0].licenses: must be valid to one and only one schema, but 0 are valid","$.components[0].licenses[11]: required property 'license' not found","$.components[0].licenses[11]: property 'expression' is not defined in the schema and the schema does not allow additional properties","$.components[0].licenses: must have at most 1 items but found 17","$.components[0].licenses[0]: property 'license' is not defined in the schema and the schema does not allow additional properties","$.components[0].licenses[0]: required property 'expression' not found","$.components[0].licenses: index '1' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '2' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '3' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '4' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '5' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '6' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '7' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '8' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '9' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '10' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '11' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '12' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '13' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '14' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '15' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '16' is not defined in the schema and the schema does not allow additional items"]}` (syft unknown ID) `{"status":400,"title":"The uploaded BOM is invalid","detail":"Schema validation failed","errors":["$.components[0].licenses: must be valid to one and only one schema, but 0 are valid","$.components[0].licenses[2].license.id: does not have a value in the enumeration [\"0BSD\", \"3D-Slicer-1.0\", \"AAL\", \"Abstyles\", \"AdaCore-doc\", \"Adobe-2006\", \"Adobe-Display-PostScript\", \"Adobe-Glyph\", \"Adobe-Utopia\", \"ADSL\", \"AFL-1.1\", \"AFL-1.2\", \"AFL-2.0\", \"AFL-2.1\", \"AFL-3.0\", \"Afmparse\", \"AGPL-1.0\", \"AGPL-1.0-only\", \"AGPL-1.0-or-later\", \"AGPL-3.0\", \"AGPL-3.0-only\", \"AGPL-3.0-or-later\", \"Aladdin\", \"AMD-newlib\", \"AMDPLPA\", \"AML\", \"AML-glslang\", \"AMPAS\", \"ANTLR-PD\", \"ANTLR-PD-fallback\", \"any-OSI\", \"Apache-1.0\", \"Apache-1.1\", \"Apache-2.0\", \"APAFML\", \"APL-1.0\", \"App-s2p\", \"APSL-1.0\", \"APSL-1.1\", \"APSL-1.2\", \"APSL-2.0\", \"Arphic-1999\", \"Artistic-1.0\", \"Artistic-1.0-cl8\", \"Artistic-1.0-Perl\", \"Artistic-2.0\", \"ASWF-Digital-Assets-1.0\", \"ASWF-Digital-Assets-1.1\", \"Baekmuk\", \"Bahyph\", \"Barr\", \"bcrypt-Solar-Designer\", \"Beerware\", \"Bitstream-Charter\", \"Bitstream-Vera\", \"BitTorrent-1.0\", \"BitTorrent-1.1\", \"blessing\", \"BlueOak-1.0.0\", \"Boehm-GC\", \"Borceux\", \"Brian-Gladman-2-Clause\", \"Brian-Gladman-3-Clause\", \"BSD-1-Clause\", \"BSD-2-Clause\", \"BSD-2-Clause-Darwin\", \"BSD-2-Clause-first-lines\", \"BSD-2-Clause-FreeBSD\", \"BSD-2-Clause-NetBSD\", \"BSD-2-Clause-Patent\", \"BSD-2-Clause-Views\", \"BSD-3-Clause\", \"BSD-3-Clause-acpica\", \"BSD-3-Clause-Attribution\", \"BSD-3-Clause-Clear\", \"BSD-3-Clause-flex\", \"BSD-3-Clause-HP\", \"BSD-3-Clause-LBNL\", \"BSD-3-Clause-Modification\", \"BSD-3-Clause-No-Military-License\", \"BSD-3-Clause-No-Nuclear-License\", \"BSD-3-Clause-No-Nuclear-License-2014\", \"BSD-3-Clause-No-Nuclear-Warranty\", \"BSD-3-Clause-Open-MPI\", \"BSD-3-Clause-Sun\", \"BSD-4-Clause\", \"BSD-4-Clause-Shortened\", \"BSD-4-Clause-UC\", \"BSD-4.3RENO\", \"BSD-4.3TAHOE\", \"BSD-Advertising-Acknowledgement\", \"BSD-Attribution-HPND-disclaimer\", \"BSD-Inferno-Nettverk\", \"BSD-Protection\", \"BSD-Source-beginning-file\", \"BSD-Source-Code\", \"BSD-Systemics\", \"BSD-Systemics-W3Works\", \"BSL-1.0\", \"BUSL-1.1\", \"bzip2-1.0.5\", \"bzip2-1.0.6\", \"C-UDA-1.0\", \"CAL-1.0\", \"CAL-1.0-Combined-Work-Exception\", \"Caldera\", \"Caldera-no-preamble\", \"Catharon\", \"CATOSL-1.1\", \"CC-BY-1.0\", \"CC-BY-2.0\", \"CC-BY-2.5\", \"CC-BY-2.5-AU\", \"CC-BY-3.0\", \"CC-BY-3.0-AT\", \"CC-BY-3.0-AU\", \"CC-BY-3.0-DE\", \"CC-BY-3.0-IGO\", \"CC-BY-3.0-NL\", \"CC-BY-3.0-US\", \"CC-BY-4.0\", \"CC-BY-NC-1.0\", \"CC-BY-NC-2.0\", \"CC-BY-NC-2.5\", \"CC-BY-NC-3.0\", \"CC-BY-NC-3.0-DE\", \"CC-BY-NC-4.0\", \"CC-BY-NC-ND-1.0\", \"CC-BY-NC-ND-2.0\", \"CC-BY-NC-ND-2.5\", \"CC-BY-NC-ND-3.0\", \"CC-BY-NC-ND-3.0-DE\", \"CC-BY-NC-ND-3.0-IGO\", \"CC-BY-NC-ND-4.0\", \"CC-BY-NC-SA-1.0\", \"CC-BY-NC-SA-2.0\", \"CC-BY-NC-SA-2.0-DE\", \"CC-BY-NC-SA-2.0-FR\", \"CC-BY-NC-SA-2.0-UK\", \"CC-BY-NC-SA-2.5\", \"CC-BY-NC-SA-3.0\", \"CC-BY-NC-SA-3.0-DE\", \"CC-BY-NC-SA-3.0-IGO\", \"CC-BY-NC-SA-4.0\", \"CC-BY-ND-1.0\", \"CC-BY-ND-2.0\", \"CC-BY-ND-2.5\", \"CC-BY-ND-3.0\", \"CC-BY-ND-3.0-DE\", \"CC-BY-ND-4.0\", \"CC-BY-SA-1.0\", \"CC-BY-SA-2.0\", \"CC-BY-SA-2.0-UK\", \"CC-BY-SA-2.1-JP\", \"CC-BY-SA-2.5\", \"CC-BY-SA-3.0\", \"CC-BY-SA-3.0-AT\", \"CC-BY-SA-3.0-DE\", \"CC-BY-SA-3.0-IGO\", \"CC-BY-SA-4.0\", \"CC-PDDC\", \"CC0-1.0\", \"CDDL-1.0\", \"CDDL-1.1\", \"CDL-1.0\", \"CDLA-Permissive-1.0\", \"CDLA-Permissive-2.0\", \"CDLA-Sharing-1.0\", \"CECILL-1.0\", \"CECILL-1.1\", \"CECILL-2.0\", \"CECILL-2.1\", \"CECILL-B\", \"CECILL-C\", \"CERN-OHL-1.1\", \"CERN-OHL-1.2\", \"CERN-OHL-P-2.0\", \"CERN-OHL-S-2.0\", \"CERN-OHL-W-2.0\", \"CFITSIO\", \"check-cvs\", \"checkmk\", \"ClArtistic\", \"Clips\", \"CMU-Mach\", \"CMU-Mach-nodoc\", \"CNRI-Jython\", \"CNRI-Python\", \"CNRI-Python-GPL-Compatible\", \"COIL-1.0\", \"Community-Spec-1.0\", \"Condor-1.1\", \"copyleft-next-0.3.0\", \"copyleft-next-0.3.1\", \"Cornell-Lossless-JPEG\", \"CPAL-1.0\", \"CPL-1.0\", \"CPOL-1.02\", \"Cronyx\", \"Crossword\", \"CrystalStacker\", \"CUA-OPL-1.0\", \"Cube\", \"curl\", \"cve-tou\", \"D-FSL-1.0\", \"DEC-3-Clause\", \"diffmark\", \"DL-DE-BY-2.0\", \"DL-DE-ZERO-2.0\", \"DOC\", \"Dotseqn\", \"DRL-1.0\", \"DRL-1.1\", \"DSDP\", \"dtoa\", \"dvipdfm\", \"ECL-1.0\", \"ECL-2.0\", \"eCos-2.0\", \"EFL-1.0\", \"EFL-2.0\", \"eGenix\", \"Elastic-2.0\", \"Entessa\", \"EPICS\", \"EPL-1.0\", \"EPL-2.0\", \"ErlPL-1.1\", \"etalab-2.0\", \"EUDatagrid\", \"EUPL-1.0\", \"EUPL-1.1\", \"EUPL-1.2\", \"Eurosym\", \"Fair\", \"FBM\", \"FDK-AAC\", \"Ferguson-Twofish\", \"Frameworx-1.0\", \"FreeBSD-DOC\", \"FreeImage\", \"FSFAP\", \"FSFAP-no-warranty-disclaimer\", \"FSFUL\", \"FSFULLR\", \"FSFULLRWD\", \"FTL\", \"Furuseth\", \"fwlw\", \"GCR-docs\", \"GD\", \"GFDL-1.1\", \"GFDL-1.1-invariants-only\", \"GFDL-1.1-invariants-or-later\", \"GFDL-1.1-no-invariants-only\", \"GFDL-1.1-no-invariants-or-later\", \"GFDL-1.1-only\", \"GFDL-1.1-or-later\", \"GFDL-1.2\", \"GFDL-1.2-invariants-only\", \"GFDL-1.2-invariants-or-later\", \"GFDL-1.2-no-invariants-only\", \"GFDL-1.2-no-invariants-or-later\", \"GFDL-1.2-only\", \"GFDL-1.2-or-later\", \"GFDL-1.3\", \"GFDL-1.3-invariants-only\", \"GFDL-1.3-invariants-or-later\", \"GFDL-1.3-no-invariants-only\", \"GFDL-1.3-no-invariants-or-later\", \"GFDL-1.3-only\", \"GFDL-1.3-or-later\", \"Giftware\", \"GL2PS\", \"Glide\", \"Glulxe\", \"GLWTPL\", \"gnuplot\", \"GPL-1.0\", \"GPL-1.0+\", \"GPL-1.0-only\", \"GPL-1.0-or-later\", \"GPL-2.0\", \"GPL-2.0+\", \"GPL-2.0-only\", \"GPL-2.0-or-later\", \"GPL-2.0-with-autoconf-exception\", \"GPL-2.0-with-bison-exception\", \"GPL-2.0-with-classpath-exception\", \"GPL-2.0-with-font-exception\", \"GPL-2.0-with-GCC-exception\", \"GPL-3.0\", \"GPL-3.0+\", \"GPL-3.0-only\", \"GPL-3.0-or-later\", \"GPL-3.0-with-autoconf-exception\", \"GPL-3.0-with-GCC-exception\", \"Graphics-Gems\", \"gSOAP-1.3b\", \"gtkbook\", \"Gutmann\", \"HaskellReport\", \"hdparm\", \"Hippocratic-2.1\", \"HP-1986\", \"HP-1989\", \"HPND\", \"HPND-DEC\", \"HPND-doc\", \"HPND-doc-sell\", \"HPND-export-US\", \"HPND-export-US-acknowledgement\", \"HPND-export-US-modify\", \"HPND-export2-US\", \"HPND-Fenneberg-Livingston\", \"HPND-INRIA-IMAG\", \"HPND-Intel\", \"HPND-Kevlin-Henney\", \"HPND-Markus-Kuhn\", \"HPND-merchantability-variant\", \"HPND-MIT-disclaimer\", \"HPND-Pbmplus\", \"HPND-sell-MIT-disclaimer-xserver\", \"HPND-sell-regexpr\", \"HPND-sell-variant\", \"HPND-sell-variant-MIT-disclaimer\", \"HPND-sell-variant-MIT-disclaimer-rev\", \"HPND-UC\", \"HPND-UC-export-US\", \"HTMLTIDY\", \"IBM-pibs\", \"ICU\", \"IEC-Code-Components-EULA\", \"IJG\", \"IJG-short\", \"ImageMagick\", \"iMatix\", \"Imlib2\", \"Info-ZIP\", \"Inner-Net-2.0\", \"Intel\", \"Intel-ACPI\", \"Interbase-1.0\", \"IPA\", \"IPL-1.0\", \"ISC\", \"ISC-Veillard\", \"Jam\", \"JasPer-2.0\", \"JPL-image\", \"JPNIC\", \"JSON\", \"Kastrup\", \"Kazlib\", \"Knuth-CTAN\", \"LAL-1.2\", \"LAL-1.3\", \"Latex2e\", \"Latex2e-translated-notice\", \"Leptonica\", \"LGPL-2.0\", \"LGPL-2.0+\", \"LGPL-2.0-only\", \"LGPL-2.0-or-later\", \"LGPL-2.1\", \"LGPL-2.1+\", \"LGPL-2.1-only\", \"LGPL-2.1-or-later\", \"LGPL-3.0\", \"LGPL-3.0+\", \"LGPL-3.0-only\", \"LGPL-3.0-or-later\", \"LGPLLR\", \"Libpng\", \"libpng-2.0\", \"libselinux-1.0\", \"libtiff\", \"libutil-David-Nugent\", \"LiLiQ-P-1.1\", \"LiLiQ-R-1.1\", \"LiLiQ-Rplus-1.1\", \"Linux-man-pages-1-para\", \"Linux-man-pages-copyleft\", \"Linux-man-pages-copyleft-2-para\", \"Linux-man-pages-copyleft-var\", \"Linux-OpenIB\", \"LOOP\", \"LPD-document\", \"LPL-1.0\", \"LPL-1.02\", \"LPPL-1.0\", \"LPPL-1.1\", \"LPPL-1.2\", \"LPPL-1.3a\", \"LPPL-1.3c\", \"lsof\", \"Lucida-Bitmap-Fonts\", \"LZMA-SDK-9.11-to-9.20\", \"LZMA-SDK-9.22\", \"Mackerras-3-Clause\", \"Mackerras-3-Clause-acknowledgment\", \"magaz\", \"mailprio\", \"MakeIndex\", \"Martin-Birgmeier\", \"McPhee-slideshow\", \"metamail\", \"Minpack\", \"MirOS\", \"MIT\", \"MIT-0\", \"MIT-advertising\", \"MIT-CMU\", \"MIT-enna\", \"MIT-feh\", \"MIT-Festival\", \"MIT-Khronos-old\", \"MIT-Modern-Variant\", \"MIT-open-group\", \"MIT-testregex\", \"MIT-Wu\", \"MITNFA\", \"MMIXware\", \"Motosoto\", \"MPEG-SSG\", \"mpi-permissive\", \"mpich2\", \"MPL-1.0\", \"MPL-1.1\", \"MPL-2.0\", \"MPL-2.0-no-copyleft-exception\", \"mplus\", \"MS-LPL\", \"MS-PL\", \"MS-RL\", \"MTLL\", \"MulanPSL-1.0\", \"MulanPSL-2.0\", \"Multics\", \"Mup\", \"NAIST-2003\", \"NASA-1.3\", \"Naumen\", \"NBPL-1.0\", \"NCBI-PD\", \"NCGL-UK-2.0\", \"NCL\", \"NCSA\", \"Net-SNMP\", \"NetCDF\", \"Newsletr\", \"NGPL\", \"NICTA-1.0\", \"NIST-PD\", \"NIST-PD-fallback\", \"NIST-Software\", \"NLOD-1.0\", \"NLOD-2.0\", \"NLPL\", \"Nokia\", \"NOSL\", \"Noweb\", \"NPL-1.0\", \"NPL-1.1\", \"NPOSL-3.0\", \"NRL\", \"NTP\", \"NTP-0\", \"Nunit\", \"O-UDA-1.0\", \"OAR\", \"OCCT-PL\", \"OCLC-2.0\", \"ODbL-1.0\", \"ODC-By-1.0\", \"OFFIS\", \"OFL-1.0\", \"OFL-1.0-no-RFN\", \"OFL-1.0-RFN\", \"OFL-1.1\", \"OFL-1.1-no-RFN\", \"OFL-1.1-RFN\", \"OGC-1.0\", \"OGDL-Taiwan-1.0\", \"OGL-Canada-2.0\", \"OGL-UK-1.0\", \"OGL-UK-2.0\", \"OGL-UK-3.0\", \"OGTSL\", \"OLDAP-1.1\", \"OLDAP-1.2\", \"OLDAP-1.3\", \"OLDAP-1.4\", \"OLDAP-2.0\", \"OLDAP-2.0.1\", \"OLDAP-2.1\", \"OLDAP-2.2\", \"OLDAP-2.2.1\", \"OLDAP-2.2.2\", \"OLDAP-2.3\", \"OLDAP-2.4\", \"OLDAP-2.5\", \"OLDAP-2.6\", \"OLDAP-2.7\", \"OLDAP-2.8\", \"OLFL-1.3\", \"OML\", \"OpenPBS-2.3\", \"OpenSSL\", \"OpenSSL-standalone\", \"OpenVision\", \"OPL-1.0\", \"OPL-UK-3.0\", \"OPUBL-1.0\", \"OSET-PL-2.1\", \"OSL-1.0\", \"OSL-1.1\", \"OSL-2.0\", \"OSL-2.1\", \"OSL-3.0\", \"PADL\", \"Parity-6.0.0\", \"Parity-7.0.0\", \"PDDL-1.0\", \"PHP-3.0\", \"PHP-3.01\", \"Pixar\", \"pkgconf\", \"Plexus\", \"pnmstitch\", \"PolyForm-Noncommercial-1.0.0\", \"PolyForm-Small-Business-1.0.0\", \"PostgreSQL\", \"PPL\", \"PSF-2.0\", \"psfrag\", \"psutils\", \"Python-2.0\", \"Python-2.0.1\", \"python-ldap\", \"Qhull\", \"QPL-1.0\", \"QPL-1.0-INRIA-2004\", \"radvd\", \"Rdisc\", \"RHeCos-1.1\", \"RPL-1.1\", \"RPL-1.5\", \"RPSL-1.0\", \"RSA-MD\", \"RSCPL\", \"Ruby\", \"SAX-PD\", \"SAX-PD-2.0\", \"Saxpath\", \"SCEA\", \"SchemeReport\", \"Sendmail\", \"Sendmail-8.23\", \"SGI-B-1.0\", \"SGI-B-1.1\", \"SGI-B-2.0\", \"SGI-OpenGL\", \"SGP4\", \"SHL-0.5\", \"SHL-0.51\", \"SimPL-2.0\", \"SISSL\", \"SISSL-1.2\", \"SL\", \"Sleepycat\", \"SMLNJ\", \"SMPPL\", \"SNIA\", \"snprintf\", \"softSurfer\", \"Soundex\", \"Spencer-86\", \"Spencer-94\", \"Spencer-99\", \"SPL-1.0\", \"ssh-keyscan\", \"SSH-OpenSSH\", \"SSH-short\", \"SSLeay-standalone\", \"SSPL-1.0\", \"StandardML-NJ\", \"SugarCRM-1.1.3\", \"Sun-PPP\", \"Sun-PPP-2000\", \"SunPro\", \"SWL\", \"swrule\", \"Symlinks\", \"TAPR-OHL-1.0\", \"TCL\", \"TCP-wrappers\", \"TermReadKey\", \"TGPPL-1.0\", \"threeparttable\", \"TMate\", \"TORQUE-1.1\", \"TOSL\", \"TPDL\", \"TPL-1.0\", \"TTWL\", \"TTYP0\", \"TU-Berlin-1.0\", \"TU-Berlin-2.0\", \"UCAR\", \"UCL-1.0\", \"ulem\", \"UMich-Merit\", \"Unicode-3.0\", \"Unicode-DFS-2015\", \"Unicode-DFS-2016\", \"Unicode-TOU\", \"UnixCrypt\", \"Unlicense\", \"UPL-1.0\", \"URT-RLE\", \"Vim\", \"VOSTROM\", \"VSL-1.0\", \"W3C\", \"W3C-19980720\", \"W3C-20150513\", \"w3m\", \"Watcom-1.0\", \"Widget-Workshop\", \"Wsuipa\", \"WTFPL\", \"wxWindows\", \"X11\", \"X11-distribute-modifications-variant\", \"Xdebug-1.03\", \"Xerox\", \"Xfig\", \"XFree86-1.1\", \"xinetd\", \"xkeyboard-config-Zinoviev\", \"xlock\", \"Xnet\", \"xpp\", \"XSkat\", \"xzoom\", \"YPL-1.0\", \"YPL-1.1\", \"Zed\", \"Zeeff\", \"Zend-2.0\", \"Zimbra-1.3\", \"Zimbra-1.4\", \"Zlib\", \"zlib-acknowledgement\", \"ZPL-1.1\", \"ZPL-2.0\", \"ZPL-2.1\", \"389-exception\", \"Asterisk-exception\", \"Asterisk-linking-protocols-exception\", \"Autoconf-exception-2.0\", \"Autoconf-exception-3.0\", \"Autoconf-exception-generic\", \"Autoconf-exception-generic-3.0\", \"Autoconf-exception-macro\", \"Bison-exception-1.24\", \"Bison-exception-2.2\", \"Bootloader-exception\", \"Classpath-exception-2.0\", \"CLISP-exception-2.0\", \"cryptsetup-OpenSSL-exception\", \"DigiRule-FOSS-exception\", \"eCos-exception-2.0\", \"Fawkes-Runtime-exception\", \"FLTK-exception\", \"fmt-exception\", \"Font-exception-2.0\", \"freertos-exception-2.0\", \"GCC-exception-2.0\", \"GCC-exception-2.0-note\", \"GCC-exception-3.1\", \"Gmsh-exception\", \"GNAT-exception\", \"GNOME-examples-exception\", \"GNU-compiler-exception\", \"gnu-javamail-exception\", \"GPL-3.0-interface-exception\", \"GPL-3.0-linking-exception\", \"GPL-3.0-linking-source-exception\", \"GPL-CC-1.0\", \"GStreamer-exception-2005\", \"GStreamer-exception-2008\", \"i2p-gpl-java-exception\", \"KiCad-libraries-exception\", \"LGPL-3.0-linking-exception\", \"libpri-OpenH323-exception\", \"Libtool-exception\", \"Linux-syscall-note\", \"LLGPL\", \"LLVM-exception\", \"LZMA-exception\", \"mif-exception\", \"Nokia-Qt-exception-1.1\", \"OCaml-LGPL-linking-exception\", \"OCCT-exception-1.0\", \"OpenJDK-assembly-exception-1.0\", \"openvpn-openssl-exception\", \"PCRE2-exception\", \"PS-or-PDF-font-exception-20170817\", \"QPL-1.0-INRIA-2004-exception\", \"Qt-GPL-exception-1.0\", \"Qt-LGPL-exception-1.1\", \"Qwt-exception-1.0\", \"RRDtool-FLOSS-exception-2.0\", \"SANE-exception\", \"SHL-2.0\", \"SHL-2.1\", \"stunnel-exception\", \"SWI-exception\", \"Swift-exception\", \"Texinfo-exception\", \"u-boot-exception-2.0\", \"UBDL-exception\", \"Universal-FOSS-exception-1.0\", \"vsftpd-openssl-exception\", \"WxWindows-exception-3.1\", \"x11vnc-openssl-exception\"]","$.components[0].licenses: must have at most 1 items but found 4","$.components[0].licenses[0]: property 'license' is not defined in the schema and the schema does not allow additional properties","$.components[0].licenses[0]: required property 'expression' not found","$.components[0].licenses: index '1' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '2' is not defined in the schema and the schema does not allow additional items","$.components[0].licenses: index '3' is not defined in the schema and the schema does not allow additional items"]}` ### Expected Behavior Dtrack SBOM validation accepts all CycloneDX compliant files, and discards any data that does not match the internal license representation. License data should never fail an upload, since the primary function of the tool is vulnerability management, not license management. ### Dependency-Track Version 4.13.3 ### Dependency-Track Distribution Container Image ### Database Server PostgreSQL ### Database Server Version _No response_ ### Browser Google Chrome ### Checklist - [x] I have read and understand the [contributing guidelines](https://github.com/DependencyTrack/dependency-track/blob/master/CONTRIBUTING.md#filing-issues) - [x] I have checked the [existing issues](https://github.com/DependencyTrack/dependency-track/issues) for whether this defect was already reported

Topic		Replies	Views
July 31st \| Open Source Gardening \| Live Stream Announcements video , gardening	3	14	August 1, 2025
Components missing from CycloneDX json format SBOM when generation is part of a test Syft	5	13	September 9, 2025
Syft - v1.20.0 released Announcements release	1	35	February 22, 2025
Exclude-binary-overlap-by-ownership flag is not working General discuss	16	117	May 14, 2025
July 10th \| Open Source Gardening \| Live Stream Announcements video , gardening	1	10	July 21, 2025

Cyclonedx SBOM files do not pass cyclonedx cli validate command when SMAIL-GPL included as licenses

Related topics