feat: add basic spec version validation and related tests to enhance BOM validation process

wiebe-vandendriessche · wiebe-vandendriessche · commit f4a98c74d444 · 2026-01-02T17:08:56.000+01:00
diff --git a/internal/validator/validator.go b/internal/validator/validator.go
@@ -46,13 +46,16 @@ func Validate(bom *cdx.BOM, opts ValidationOptions) ValidationResult {
 		result.Errors = append(result.Errors, "BOM missing metadata.component")
 	}
 
-	// 3. Run completeness check (leverages existing package)
+	// 3. Validate spec version
+	validateSpecVersion(bom, &result)
+
+	// 4. Run completeness check (leverages existing package)
 	report := completeness.Check(bom)
 	result.CompletenessScore = report.Score
 	result.MissingRequired = report.MissingRequired
 	result.MissingOptional = report.MissingOptional
 
-	// 4. Strict mode enforcement
+	// 5. Strict mode enforcement
 	if opts.StrictMode {
 		if len(report.MissingRequired) > 0 {
 			result.Valid = false
@@ -69,20 +72,48 @@ func Validate(bom *cdx.BOM, opts ValidationOptions) ValidationResult {
 		}
 	}
 
-	// 5. Add warnings for optional fields
+	// 6. Add warnings for optional fields
 	for _, key := range report.MissingOptional {
 		msg := fmt.Sprintf("optional field missing: %s", key)
 		result.Warnings = append(result.Warnings, msg)
 	}
 
-	// 6. Model card validation
+	// 7. Model card validation
 	if opts.CheckModelCard {
 		validateModelCard(bom, &result)
 	}
 
 	return result
 }
 
+func validateSpecVersion(bom *cdx.BOM, result *ValidationResult) {
+	if bom.SpecVersion == 0 {
+		result.Valid = false
+		result.Errors = append(result.Errors, "BOM missing spec version")
+		return
+	}
+
+	// Check if spec version is valid
+	switch bom.SpecVersion {
+	case cdx.SpecVersion1_0, cdx.SpecVersion1_1, cdx.SpecVersion1_2,
+		cdx.SpecVersion1_3, cdx.SpecVersion1_4, cdx.SpecVersion1_5,
+		cdx.SpecVersion1_6:
+		// Valid spec version
+	default:
+		result.Valid = false
+		result.Errors = append(result.Errors,
+			fmt.Sprintf("invalid or unsupported spec version: %d", bom.SpecVersion))
+		return
+	}
+
+	// Warn about older spec versions (< 1.5 doesn't have full ML-BOM support)
+	if bom.SpecVersion < cdx.SpecVersion1_5 {
+		result.Warnings = append(result.Warnings,
+			fmt.Sprintf("spec version 1.%d predates ML-BOM support (consider upgrading to 1.5+)",
+				bom.SpecVersion-1))
+	}
+}
+
 func validateModelCard(bom *cdx.BOM, result *ValidationResult) {
 	comp := bom.Metadata.Component
 	if comp == nil {
diff --git a/internal/validator/validator_test.go b/internal/validator/validator_test.go
@@ -35,6 +35,7 @@ func TestValidate_MissingMetadata(t *testing.T) {
 
 func TestValidate_ValidBOM(t *testing.T) {
 	bom := &cdx.BOM{
+		SpecVersion: cdx.SpecVersion1_6,
 		Metadata: &cdx.Metadata{
 			Component: &cdx.Component{
 				Name: "test-model",
@@ -55,6 +56,7 @@ func TestValidate_ValidBOM(t *testing.T) {
 
 func TestValidate_StrictMode(t *testing.T) {
 	bom := &cdx.BOM{
+		SpecVersion: cdx.SpecVersion1_6,
 		Metadata: &cdx.Metadata{
 			Component: &cdx.Component{
 				Name: "test-model",
@@ -76,6 +78,7 @@ func TestValidate_StrictMode(t *testing.T) {
 
 func TestValidateModelCard_Missing(t *testing.T) {
 	bom := &cdx.BOM{
+		SpecVersion: cdx.SpecVersion1_6,
 		Metadata: &cdx.Metadata{
 			Component: &cdx.Component{
 				Name: "test-model",
@@ -93,3 +96,93 @@ func TestValidateModelCard_Missing(t *testing.T) {
 		t.Error("expected warnings about missing model card")
 	}
 }
+
+func TestValidateSpecVersion_Missing(t *testing.T) {
+	bom := &cdx.BOM{
+		Metadata: &cdx.Metadata{
+			Component: &cdx.Component{
+				Name: "test-model",
+			},
+		},
+	}
+	opts := ValidationOptions{}
+	result := Validate(bom, opts)
+
+	if result.Valid {
+		t.Error("expected validation to fail for BOM without spec version")
+	}
+
+	foundError := false
+	for _, err := range result.Errors {
+		if err == "BOM missing spec version" {
+			foundError = true
+			break
+		}
+	}
+	if !foundError {
+		t.Error("expected error about missing spec version")
+	}
+}
+
+func TestValidateSpecVersion_Invalid(t *testing.T) {
+	bom := &cdx.BOM{
+		SpecVersion: 999,
+		Metadata: &cdx.Metadata{
+			Component: &cdx.Component{
+				Name: "test-model",
+			},
+		},
+	}
+	opts := ValidationOptions{}
+	result := Validate(bom, opts)
+
+	if result.Valid {
+		t.Error("expected validation to fail for invalid spec version")
+	}
+}
+
+func TestValidateSpecVersion_Valid(t *testing.T) {
+	bom := &cdx.BOM{
+		SpecVersion: cdx.SpecVersion1_6,
+		Metadata: &cdx.Metadata{
+			Component: &cdx.Component{
+				Name: "test-model",
+			},
+		},
+	}
+	opts := ValidationOptions{
+		CheckModelCard: false,
+	}
+	result := Validate(bom, opts)
+
+	if !result.Valid {
+		t.Errorf("expected validation to pass for valid spec version, got errors: %v", result.Errors)
+	}
+}
+
+func TestValidateSpecVersion_OldVersionWarning(t *testing.T) {
+	bom := &cdx.BOM{
+		SpecVersion: cdx.SpecVersion1_3,
+		Metadata: &cdx.Metadata{
+			Component: &cdx.Component{
+				Name: "test-model",
+			},
+		},
+	}
+	opts := ValidationOptions{
+		CheckModelCard: false,
+	}
+	result := Validate(bom, opts)
+
+	// Should have warning about old spec version
+	foundWarning := false
+	for _, warn := range result.Warnings {
+		if len(warn) > 0 && (warn[0:4] == "spec" || warn[0:4] == "Spec") {
+			foundWarning = true
+			break
+		}
+	}
+	if !foundWarning {
+		t.Error("expected warning about old spec version")
+	}
+}
