Invalid license URL is generated

[andreycha]

Hi,

Version 3.0.5 (tried also 3.0.8) seems to generate invalid license URL for one of the components. Note whitespace at the end:

    {
      "type": "library",
      "bom-ref": "pkg:nuget/Mvc4Futures@4.0.20710",
      "author": "Microsoft",
      "name": "Mvc4Futures",
      "version": "4.0.20710",
      "description": "ASP.NET MVC Futures includes unsupported prototype features for ASP.NET MVC, from the MVC team.",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "FA3D285759CDD2BEDAD5632B267F76D0275DADE15B81EAA3DED2865B56C5A416E42BD558E1957E7A44D9BA63A719FCCBED30F586B7504ADE80441EA4F74C5031"
        }
      ],
      "licenses": [
        {
          "license": {
            "name": "Unknown - See URL",
            "url": "http://www.microsoft.com/web/webpi/eula/aspnetcomponent_enu.htm " <-- here
          }
        }
      ],
      "copyright": "Microsoft",
      "purl": "pkg:nuget/Mvc4Futures@4.0.20710",
      "externalReferences": [
        {
          "url": "http://aspnet.codeplex.com/",
          "type": "website"
        }
      ]
    }

BOM is generated as following:

dotnet cyclonedx "D:\BuildAgent\work\233fec8a519c12d7\Services\ServiceName\ServiceName.sln" -o dist\BOM
 -f bom.json -j -sn "ServiceName" -sv 1.2.3.4 --github-username *** --github-token ***

Not sure where the whitespace comes from, component page on Nuget.org has a valid URL.

Would appreciate any help.

[andreycha]

Okay, the nasty whitespace comes from nuspec file: https://api.nuget.org/v3-flatcontainer/Mvc4Futures/4.0.20710/Mvc4Futures.nuspec

Would it be possible/make sense to trim all urls for example?

[mtsfoni]

I think a valid URL can never start or end with a whitespace, so I see no problem with that

[andreycha]

True. DependencyTrack has recently started to validate BOMs according to the specification. It requires all URLs to be valid RFC 3987 IRI-references where whitespace is not a valid character.