Affected version: 12.1.0 and older
Minimal valid example:
<?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:134bdd62-7b55-4f31-bc92-583aeaac3b29" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
<metadata>
<timestamp>2026-04-01T08:22:04.5934884Z</timestamp>
<tools>
<components>
<component type="application">
<authors>
<author>
<name>CycloneDX</name>
</author>
</authors>
<name>CycloneDX module for .NET</name>
<version>6.1.0.0</version>
<externalReferences>
<reference type="website">
<url>https://github.com/CycloneDX/cyclonedx-dotnet</url>
</reference>
</externalReferences>
</component>
</components>
</tools>
</metadata>
</bom>
Exception:
org.cyclonedx.exception.ParseException: com.fasterxml.jackson.databind.JsonMappingException: Cannot deserialize value of type `java.util.ArrayList<org.cyclonedx.model.OrganizationalContact>` from Object value (token `JsonToken.START_OBJECT`)
at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.cyclonedx.model.Component["authors"]) (through reference chain: org.cyclonedx.model.Bom["metadata"])
at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:101)
at com.sonatype.insight.scan.file.ThirdPartyUtils.parseAndOrValidateCycloneDx(ThirdPartyUtils.java:101)
... 13 common frames omitted
Caused by: com.fasterxml.jackson.databind.JsonMappingException: Cannot deserialize value of type `java.util.ArrayList<org.cyclonedx.model.OrganizationalContact>` from Object value (token `JsonToken.START_OBJECT`)
at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.cyclonedx.model.Component["authors"]) (through reference chain: org.cyclonedx.model.Bom["metadata"])
at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:400)
at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:359)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1966)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:304)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:169)
at com.fasterxml.jackson.dataformat.xml.deser.WrapperHandlingDeserializer.deserialize(WrapperHandlingDeserializer.java:122)
at com.fasterxml.jackson.dataformat.xml.deser.XmlDeserializationContext.readRootValue(XmlDeserializationContext.java:104)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4971)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3948)
at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:99)
... 14 common frames omitted
Caused by: java.lang.IllegalArgumentException: Cannot deserialize value of type `java.util.ArrayList<org.cyclonedx.model.OrganizationalContact>` from Object value (token `JsonToken.START_OBJECT`)
at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.cyclonedx.model.Component["authors"])
at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4663)
at com.fasterxml.jackson.databind.ObjectMapper.convertValue(ObjectMapper.java:4594)
at org.cyclonedx.util.deserializer.ToolInformationDeserializer.parseComponents(ToolInformationDeserializer.java:72)
at org.cyclonedx.util.deserializer.ToolInformationDeserializer.parseToolInformation(ToolInformationDeserializer.java:50)
at org.cyclonedx.util.deserializer.ToolInformationDeserializer.deserialize(ToolInformationDeserializer.java:44)
at org.cyclonedx.util.ToolsJsonParser.parse(ToolsJsonParser.java:49)
at org.cyclonedx.util.ToolsJsonParser.<init>(ToolsJsonParser.java:40)
at org.cyclonedx.util.deserializer.MetadataDeserializer.deserialize(MetadataDeserializer.java:90)
at org.cyclonedx.util.deserializer.MetadataDeserializer.deserialize(MetadataDeserializer.java:22)
at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:302)
... 20 common frames omitted
Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `java.util.ArrayList<org.cyclonedx.model.OrganizationalContact>` from Object value (token `JsonToken.START_OBJECT`)
at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.cyclonedx.model.Component["authors"])
at com.fasterxml.jackson.databind.exc.MismatchedInputException.from(MismatchedInputException.java:59)
at com.fasterxml.jackson.databind.DeserializationContext.reportInputMismatch(DeserializationContext.java:1794)
at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1568)
at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1515)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.handleNonArray(CollectionDeserializer.java:401)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:253)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:29)
at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:302)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:169)
at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4658)
... 30 common frames omitted
Affected version: 12.1.0 and older
Minimal valid example:
Exception: