CycloneDX · pedroboado · Feb 23, 2026
@@ -170,7 +170,7 @@
         <dependency>
             <groupId>com.networknt</groupId>
             <artifactId>json-schema-validator</artifactId>
-            <version>1.5.9</version>
+            <version>2.0.1</version>
         </dependency>
 
         <!-- Unit Test -->

@@ -20,11 +20,9 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.networknt.schema.JsonSchema;
-import com.networknt.schema.JsonSchemaFactory;
-import com.networknt.schema.SchemaValidatorsConfig;
-import com.networknt.schema.SpecVersionDetector;
-import com.networknt.schema.resource.MapSchemaMapper;
+import com.networknt.schema.SchemaRegistry;
+import com.networknt.schema.SchemaRegistryConfig;
+import com.networknt.schema.serialization.DefaultNodeReader;
 import org.cyclonedx.generators.json.BomJsonGenerator;
 import org.cyclonedx.generators.xml.BomXmlGenerator;
 import org.xml.sax.SAXException;
@@ -82,36 +80,28 @@ public abstract class CycloneDxSchema
    * @throws IOException when errors are encountered
    * @since 6.0.0
    */
-  public JsonSchema getJsonSchema(Version schemaVersion, final ObjectMapper mapper)
+  public com.networknt.schema.Schema getJsonSchema(Version schemaVersion, final ObjectMapper mapper)
       throws IOException
   {
     final InputStream spdxInstream = getJsonSchemaAsStream(schemaVersion);
-    final SchemaValidatorsConfig config = new SchemaValidatorsConfig();
-    config.setPreloadJsonSchema(false);
+    final SchemaRegistryConfig config = SchemaRegistryConfig.builder().preloadSchema(false).build();
 
     final Map<String, String> offlineMappings = new HashMap<>();
-    offlineMappings.put("http://cyclonedx.org/schema/spdx.schema.json",
-        getClass().getClassLoader().getResource("spdx.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/jsf-0.82.schema.json",
-        getClass().getClassLoader().getResource("jsf-0.82.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.2.schema.json",
-        getClass().getClassLoader().getResource("bom-1.2-strict.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.3.schema.json",
-        getClass().getClassLoader().getResource("bom-1.3-strict.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.4.schema.json",
-        getClass().getClassLoader().getResource("bom-1.4.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.5.schema.json",
-        getClass().getClassLoader().getResource("bom-1.5.schema.json").toExternalForm());
-    offlineMappings.put("http://cyclonedx.org/schema/bom-1.6.schema.json",
-        getClass().getClassLoader().getResource("bom-1.6.schema.json").toExternalForm());
+    offlineMappings.put("http://cyclonedx.org/schema/spdx.schema.json", "classpath:spdx.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/jsf-0.82.schema.json", "classpath:jsf-0.82.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.2.schema.json", "classpath:bom-1.2-strict.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.3.schema.json", "classpath:bom-1.3-strict.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.4.schema.json", "classpath:bom-1.4.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.5.schema.json", "classpath:bom-1.5.schema.json");
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.6.schema.json", "classpath:bom-1.6.schema.json");
 
     JsonNode schemaNode = mapper.readTree(spdxInstream);
-    final MapSchemaMapper offlineSchemaMapper = new MapSchemaMapper(offlineMappings);
-    JsonSchemaFactory factory = JsonSchemaFactory.builder(JsonSchemaFactory.getInstance(SpecVersionDetector.detect(schemaNode)))
-      .jsonMapper(mapper)
-      .schemaMappers(s -> s.add(offlineSchemaMapper))
-      .build();
-    return factory.getSchema(schemaNode, config);
+    SchemaRegistry registry = SchemaRegistry.builder()
+        .nodeReader(DefaultNodeReader.builder().jsonMapper(mapper).build())
+        .schemaIdResolvers(b -> b.mappings(offlineMappings))
+        .schemaRegistryConfig(config)
+        .build();
+    return registry.getSchema(schemaNode);
   }
 
   private InputStream getJsonSchemaAsStream(final Version schemaVersion) {

@@ -20,7 +20,7 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.networknt.schema.ValidationMessage;
+import com.networknt.schema.Error;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
 import org.cyclonedx.CycloneDxSchema;
@@ -36,7 +36,6 @@
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Set;
 
 /**
  * JsonParser is responsible for validating and parsing CycloneDX bill-of-material
@@ -182,8 +181,8 @@ public List<ParseException> validate(final JsonNode bomJson, final Version schem
             );
         }
 
-        Set<ValidationMessage> errors = getJsonSchema(schemaVersion, mapper).validate(mapper.readTree(bomJson.toString()));
-        for (ValidationMessage message: errors) {
+        List<Error> errors = getJsonSchema(schemaVersion, mapper).validate(mapper.readTree(bomJson.toString()));
+        for (Error message: errors) {
             exceptions.add(new ParseException(message.getMessage()));
         }
 

@@ -63,7 +63,7 @@ public void testValidateBomPrior12() throws IOException {
 
         assertThat(exceptions.stream().map(ParseException::getMessage)).containsExactly(
                 "CycloneDX version 1.1 does not support the JSON format",
-                "$: unknown found, object expected"
+                "unknown found, object expected"
         );
     }
 }