From b72fdc7eedb3ffe8c59a9aa0e184084f9911bfef Mon Sep 17 00:00:00 2001
From: Pedro Boado <pedro.boado@datadoghq.com>
Date: Mon, 23 Feb 2026 13:06:56 +0100
Subject: [PATCH] chore(deps): Bump com.networknt:json-schema-validator from
 1.5.9 to 2.0.1

Migrate from the removed 1.x API to the 2.x equivalents.
Update JsonParseTest to reflect that Error.getMessage() no longer
prefixes the instance location (e.g. "$: ") to the message text.

Signed-off-by: Pedro Boado <pedro.boado@datadoghq.com>
---
 pom.xml                                       |  2 +-
 .../java/org/cyclonedx/CycloneDxSchema.java   | 46 ++++++++-----------
 .../org/cyclonedx/parsers/JsonParser.java     |  7 ++-
 .../org/cyclonedx/parse/JsonParseTest.java    |  2 +-
 4 files changed, 23 insertions(+), 34 deletions(-)

diff --git a/pom.xml b/pom.xml
index 2034c7f20..121578bdc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -170,7 +170,7 @@
         <dependency>
             <groupId>com.networknt</groupId>
             <artifactId>json-schema-validator</artifactId>
-            <version>1.5.9</version>
+            <version>2.0.1</version>
         </dependency>
 
         <!-- Unit Test -->
diff --git a/src/main/java/org/cyclonedx/CycloneDxSchema.java b/src/main/java/org/cyclonedx/CycloneDxSchema.java
index 1e942272a..c507b20a8 100644
--- a/src/main/java/org/cyclonedx/CycloneDxSchema.java
+++ b/src/main/java/org/cyclonedx/CycloneDxSchema.java
@@ -20,11 +20,9 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.networknt.schema.JsonSchema;
-import com.networknt.schema.JsonSchemaFactory;
-import com.networknt.schema.SchemaValidatorsConfig;
-import com.networknt.schema.SpecVersionDetector;
-import com.networknt.schema.resource.MapSchemaMapper;
+import com.networknt.schema.SchemaRegistry;
+import com.networknt.schema.SchemaRegistryConfig;
+import com.networknt.schema.serialization.DefaultNodeReader;
 import org.cyclonedx.generators.json.BomJsonGenerator;
 import org.cyclonedx.generators.xml.BomXmlGenerator;
 import org.xml.sax.SAXException;
@@ -82,36 +80,28 @@ public abstract class CycloneDxSchema
    * @throws IOException when errors are encountered
    * @since 6.0.0
    */
-  public JsonSchema getJsonSchema(Version schemaVersion, final ObjectMapper mapper)
+  public com.networknt.schema.Schema getJsonSchema(Version schemaVersion, final ObjectMapper mapper)
       throws IOException
   {
     final InputStream spdxInstream = getJsonSchemaAsStream(schemaVersion);
-    final SchemaValidatorsConfig config = new SchemaValidatorsConfig();
-    config.setPreloadJsonSchema(false);
+    final SchemaRegistryConfig config = SchemaRegistryConfig.builder().preloadSchema(false).build();
 
     final Map<String, String> offlineMappings = new HashMap<>();
-    offlineMappings.put("http://cyclonedx.org/schema/spdx.schema.json",
-        getClass().getClassLoader().getResource("spdx.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/jsf-0.82.schema.json",
-        getClass().getClassLoader().getResource("jsf-0.82.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.2.schema.json",
-        getClass().getClassLoader().getResource("bom-1.2-strict.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.3.schema.json",
-        getClass().getClassLoader().getResource("bom-1.3-strict.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.4.schema.json",
-        getClass().getClassLoader().getResource("bom-1.4.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.5.schema.json",
-        getClass().getClassLoader().getResource("bom-1.5.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.6.schema.json",
-        getClass().getClassLoader().getResource("bom-1.6.schema.json").toExternalForm());
+    offlineMappings.put("http://cyclonedx.org/schema/spdx.schema.json", "classpath:spdx.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/jsf-0.82.schema.json", "classpath:jsf-0.82.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.2.schema.json", "classpath:bom-1.2-strict.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.3.schema.json", "classpath:bom-1.3-strict.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.4.schema.json", "classpath:bom-1.4.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.5.schema.json", "classpath:bom-1.5.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.6.schema.json", "classpath:bom-1.6.schema.json");
 
     JsonNode schemaNode = mapper.readTree(spdxInstream);
-    final MapSchemaMapper offlineSchemaMapper = new MapSchemaMapper(offlineMappings);
-    JsonSchemaFactory factory = JsonSchemaFactory.builder(JsonSchemaFactory.getInstance(SpecVersionDetector.detect(schemaNode)))
-      .jsonMapper(mapper)
-      .schemaMappers(s -> s.add(offlineSchemaMapper))
-      .build();
-    return factory.getSchema(schemaNode, config);
+    SchemaRegistry registry = SchemaRegistry.builder()
+        .nodeReader(DefaultNodeReader.builder().jsonMapper(mapper).build())
+        .schemaIdResolvers(b -> b.mappings(offlineMappings))
+        .schemaRegistryConfig(config)
+        .build();
+    return registry.getSchema(schemaNode);
   }
 
   private InputStream getJsonSchemaAsStream(final Version schemaVersion) {
diff --git a/src/main/java/org/cyclonedx/parsers/JsonParser.java b/src/main/java/org/cyclonedx/parsers/JsonParser.java
index 67a75dce2..ec73014b7 100644
--- a/src/main/java/org/cyclonedx/parsers/JsonParser.java
+++ b/src/main/java/org/cyclonedx/parsers/JsonParser.java
@@ -20,7 +20,7 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.networknt.schema.ValidationMessage;
+import com.networknt.schema.Error;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
 import org.cyclonedx.CycloneDxSchema;
@@ -36,7 +36,6 @@
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Set;
 
 /**
  * JsonParser is responsible for validating and parsing CycloneDX bill-of-material
@@ -182,8 +181,8 @@ public List<ParseException> validate(final JsonNode bomJson, final Version schem
             );
         }
 
-        Set<ValidationMessage> errors = getJsonSchema(schemaVersion, mapper).validate(mapper.readTree(bomJson.toString()));
-        for (ValidationMessage message: errors) {
+        List<Error> errors = getJsonSchema(schemaVersion, mapper).validate(mapper.readTree(bomJson.toString()));
+        for (Error message: errors) {
             exceptions.add(new ParseException(message.getMessage()));
         }
 
diff --git a/src/test/java/org/cyclonedx/parse/JsonParseTest.java b/src/test/java/org/cyclonedx/parse/JsonParseTest.java
index 1bc8dd065..73e99a86f 100644
--- a/src/test/java/org/cyclonedx/parse/JsonParseTest.java
+++ b/src/test/java/org/cyclonedx/parse/JsonParseTest.java
@@ -63,7 +63,7 @@ public void testValidateBomPrior12() throws IOException {
 
         assertThat(exceptions.stream().map(ParseException::getMessage)).containsExactly(
                 "CycloneDX version 1.1 does not support the JSON format",
-                "$: unknown found, object expected"
+                "unknown found, object expected"
         );
     }
 }