prabhu
commented
1 year ago @malice00 Could you kindly help with this bug? You can feel free to use the same branch malice00:test/gradle_sub_projects
Closed prabhu closed 1 year ago
prabhu
commented
1 year ago @malice00 Could you kindly help with this bug? You can feel free to use the same branch malice00:test/gradle_sub_projects
malice00
commented
1 year ago @malice00 Could you kindly help with this bug? You can feel free to use the same branch malice00:test/gradle_sub_projects
@prabhu I'll take a look during the Weekend
malice00
commented
1 year ago I feel there's some bug(s) in the package-url.js package, besides some things needing to change in cdxgen as well... I'll start a discussion with the devs of package-url to clear things up and figure out the way to go...
Question though: what do we feel is the correct name (and therefore purl) for Gradle-(sub-)projects? I think, since Gradle uses the ':' in the names, we should respect this and leave it in. I didn't find anything in the purl-spec that says we can't --> it even says that the name should be percent-encoded (which would be the bug in package-url.js!). Imho, the current solution (at least when parsing sub-projects, it's missing or possibly deleted by my last PR when parsing dependencies) changes the '.' to a '/', which in package.js (because of the percent-encoding issue) would accidentally move all parts before the last '/' to the namespace of a component, which could potentially generate the same purl for different components...
So, in short, I think the purls should look something like this:
pkg:maven/org.apache.fineract/%3Amodule%3Adummy%3Acore@1.8.4?type=jar
and because package-url.js explicitly changes the '%3A' back to ':', it generates a purl that it can't even validate itself...
prabhu
commented
1 year ago @malice00 superb investigation! Let's see what the purl folks come back with. Meanwhile, do you see a better way to deal with encoding since the current encodeForPurl duplicated in cdxgen has resulted in quite a few bugs?
https://github.com/CycloneDX/cdxgen/blob/master/utils.js#L5182
prabhu
commented
1 year ago @malice00 I found and removed the replace that was changing colon partly to slash in this commit. It is generating a valid bom with this fix. Let me know what you think.
https://github.com/CycloneDX/cdxgen/pull/476/commits/657355939d7d5351277ba5d3fda6ce30dca047a5
malice00
commented
1 year ago @prabhu Except for some invalid refs (which I may have solved in my branch), it looks valid indeed. I'm just not sure if that is accidental or not...
Can I commit my changes directly to this branch, or do I need to make a branch in my fork?
prabhu
commented
1 year ago @malice00 Please create a new branch. Looking forward to the PR!
It uses nested sub-modules. The colon character is not converted to a slash in dependencies.ref correctly.
Repo: https://github.com/apache/fineract/tree/1.8.4 Java: 17