sprints work

.gitea/workflows/schema-validation.yml

@@ -231,10 +231,75 @@ jobs:
             echo "::warning::No OpenVEX fixtures found to validate"
           fi
 
+  # Negative testing: verify that invalid fixtures are correctly rejected
+  validate-negative:
+    name: Validate Negative Test Cases
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install sbom-utility
+        run: |
+          curl -sSfL "https://github.com/CycloneDX/sbom-utility/releases/download/v${SBOM_UTILITY_VERSION}/sbom-utility-v${SBOM_UTILITY_VERSION}-linux-amd64.tar.gz" | tar xz
+          sudo mv sbom-utility /usr/local/bin/
+          sbom-utility --version
+
+      - name: Verify invalid fixtures fail validation
+        run: |
+          set -e
+          SCHEMA="docs/schemas/cyclonedx-bom-1.6.schema.json"
+          INVALID_DIR="tests/fixtures/invalid"
+
+          if [ ! -d "$INVALID_DIR" ]; then
+            echo "::warning::No invalid fixtures directory found at $INVALID_DIR"
+            exit 0
+          fi
+
+          EXPECTED_FAILURES=0
+          ACTUAL_FAILURES=0
+          UNEXPECTED_PASSES=0
+
+          while IFS= read -r -d '' file; do
+            if grep -q '"bomFormat".*"CycloneDX"' "$file" 2>/dev/null; then
+              EXPECTED_FAILURES=$((EXPECTED_FAILURES + 1))
+              echo "::group::Testing invalid fixture: $file"
+
+              # This SHOULD fail - if it passes, that's an error
+              if sbom-utility validate --input-file "$file" --schema "$SCHEMA" 2>&1; then
+                echo "❌ UNEXPECTED PASS: $file (should have failed validation)"
+                UNEXPECTED_PASSES=$((UNEXPECTED_PASSES + 1))
+              else
+                echo "✅ EXPECTED FAILURE: $file (correctly rejected)"
+                ACTUAL_FAILURES=$((ACTUAL_FAILURES + 1))
+              fi
+              echo "::endgroup::"
+            fi
+          done < <(find "$INVALID_DIR" -name '*.json' -type f -print0 2>/dev/null || true)
+
+          echo "================================================"
+          echo "Negative Test Summary"
+          echo "================================================"
+          echo "Expected failures: $EXPECTED_FAILURES"
+          echo "Actual failures: $ACTUAL_FAILURES"
+          echo "Unexpected passes: $UNEXPECTED_PASSES"
+          echo "================================================"
+
+          if [ "$UNEXPECTED_PASSES" -gt 0 ]; then
+            echo "::error::$UNEXPECTED_PASSES invalid fixtures passed validation unexpectedly"
+            exit 1
+          fi
+
+          if [ "$EXPECTED_FAILURES" -eq 0 ]; then
+            echo "::warning::No invalid CycloneDX fixtures found for negative testing"
+          fi
+
+          echo "✅ All invalid fixtures correctly rejected by schema validation"
+
   summary:
     name: Validation Summary
     runs-on: ubuntu-latest
-    needs: [validate-cyclonedx, validate-spdx, validate-vex]
+    needs: [validate-cyclonedx, validate-spdx, validate-vex, validate-negative]
     if: always()
     steps:
       - name: Check results
@@ -244,12 +309,14 @@ jobs:
           echo "CycloneDX: ${{ needs.validate-cyclonedx.result }}"
           echo "SPDX: ${{ needs.validate-spdx.result }}"
           echo "OpenVEX: ${{ needs.validate-vex.result }}"
-          
+          echo "Negative Tests: ${{ needs.validate-negative.result }}"
+
           if [ "${{ needs.validate-cyclonedx.result }}" = "failure" ] || \
              [ "${{ needs.validate-spdx.result }}" = "failure" ] || \
-             [ "${{ needs.validate-vex.result }}" = "failure" ]; then
+             [ "${{ needs.validate-vex.result }}" = "failure" ] || \
+             [ "${{ needs.validate-negative.result }}" = "failure" ]; then
             echo "::error::One or more schema validations failed"
             exit 1
           fi
-          
+
           echo "✅ All schema validations passed or skipped"