Skip to content

fix: register CycloneDX annotation keywords to silence schema validator warnings#860

Merged
nscuro merged 2 commits into
CycloneDX:masterfrom
patbaumgartner:fix/silence-unknown-keyword-warnings
Jun 30, 2026
Merged

fix: register CycloneDX annotation keywords to silence schema validator warnings#860
nscuro merged 2 commits into
CycloneDX:masterfrom
patbaumgartner:fix/silence-unknown-keyword-warnings

Conversation

@patbaumgartner

Copy link
Copy Markdown
Contributor

Reference

Addresses the long-standing warning reported in CycloneDX/cyclonedx-maven-plugin#564.

Problem

The CycloneDX JSON schemas (e.g. bom-1.6.schema.json) declare the JSON-Schema draft-07 dialect but use the CycloneDX-proprietary annotation keywords meta:enum and deprecated, which are not part of draft-07. When a consumer has an SLF4J backend on the classpath, the networknt json-schema-validator logs:

Unknown keyword meta:enum - you should define your own Meta Schema...
Unknown keyword deprecated - you should define your own Meta Schema...

once per keyword during BOM validation. This is noise for every downstream tool (e.g. the Maven plugin).

Fix

Derive a draft-07 dialect that registers meta:enum and deprecated as NonValidationKeywords and wire it in via a delegating DialectRegistry on the SchemaRegistry used for CycloneDX schemas. The keywords are pure annotations, so validation behaviour is unchanged — only the spurious warnings are removed.

Tests

  • New CycloneDxJsonDialectTest verifying the keywords are registered as non-validating, that stock draft-07 does not know them, and that a valid 1.6 BOM still validates.
  • Full suite green: 1182 tests, 0 failures, 0 errors.
  • End-to-end check with an SLF4J backend present: 0 "Unknown keyword" warnings on this branch.

…ings

The CycloneDX JSON schemas (e.g. bom-1.6.schema.json) declare the draft-07 dialect but use the CycloneDX-specific 'meta:enum' and 'deprecated' annotation keywords, which are not part of draft-07. The networknt json-schema-validator therefore logs an "Unknown keyword <name>" warning for each one during BOM validation.

Register both keywords as NonValidationKeyword on a draft-07-based dialect used for the CycloneDX schemas. They carry no validation semantics, so validation results are unchanged; only the spurious warnings are removed.

Signed-off-by: Patrick Baumgartner <contact@patbaumgartner.com>
@patbaumgartner patbaumgartner requested a review from a team as a code owner June 29, 2026 07:25
@codacy-production

codacy-production Bot commented Jun 29, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric Results
Complexity 0

View in Codacy

🟢 Coverage 100.00% diff coverage · +0.02% coverage variation

Metric Results
Coverage variation +0.02% coverage variation
Diff coverage 100.00% diff coverage

View coverage diff in Codacy

Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (681ed28) Report Missing Report Missing Report Missing
Head commit (3ed6e98) 6676 (+6) 5061 (+6) 75.81% (+0.02%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#860) 6 6 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

1 Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Comment thread src/main/java/org/cyclonedx/CycloneDxSchema.java
Comment thread src/test/java/org/cyclonedx/CycloneDxJsonDialectTest.java Outdated
Signed-off-by: Patrick Baumgartner <contact@patbaumgartner.com>
@patbaumgartner patbaumgartner force-pushed the fix/silence-unknown-keyword-warnings branch from 9f45723 to 3ed6e98 Compare June 30, 2026 15:23
@patbaumgartner

Copy link
Copy Markdown
Contributor Author

Thank you, @nscuro, for guiding my changes. Implementation changed according to your feedback.

@nscuro nscuro added the bug Something isn't working label Jun 30, 2026
@patbaumgartner patbaumgartner requested a review from nscuro June 30, 2026 15:25
@nscuro nscuro merged commit 37d5905 into CycloneDX:master Jun 30, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants