Description
Work recommended some additional XML tests for the 3.0 release. I set them up and ran them as part of my internal documentation because it was easier to run them than justify not running them, but I haven't merged them because I feel like they're kind of low-value as is. Here's the commit that includes them in my branch:
They're all for stuff that defusedxml defeats by design, so I'm not sure they have much value to us as part of the regular test suite which is why I haven't merged them. But I do feel like we might be able to improve testing of other areas in xml validation and parsing that weren't on my checklist, so I'm opening this issue so we can discuss potential improvements:
Some ideas to get discussion started:
- Making a test to show that the defusedxml settings around entities and reference expansion are set appropriately.
- Improving the debug/warning level output if an SBOM file doesn't match expected schema or encoding.
- fuzz testing focusing on input formats we support (including the new json and xml sbom formats)
I'm not sure how much intentionally malicious SBOM files is going to be a thing, but we might as well assume they are a possibility and use it as a way to also improve our resilience to unintentionally badly formed ones at the same time.