search

CycloneDX / cyclonedx-dotnet

Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
https://cyclonedx.org/
Apache License 2.0
167 stars 78 forks source link

Schema validation fails with git style URL #890

Open Recurse-blip opened 1 week ago

Recurse-blip commented 1 week ago

It seems that the CycloneDX tools generates invalid URL when generating the SBOM which fails the schema validation when trying to upload the BOM to dependency-track.

This is the error I get : 

{
    "status": 400,
    "title": "The uploaded BOM is invalid",
    "detail": "Schema validation failed",
    "errors": [
        "cvc-datatype-valid.1.2.1: 'git@github.com:LordVeovis/xmlrpc.git' is not a valid value for 'anyURI'.",
        "cvc-type.3.1.3: The value 'git@github.com:LordVeovis/xmlrpc.git' of element 'url' is not valid."
    ]
}

I think CycloneDX should convert those git style references to something like git+ssh://... or git+http://....git which are valid URLs.

Related issue : https://github.com/DependencyTrack/dependency-track/issues/3885 https://github.com/CycloneDX/cyclonedx-node-npm/issues/1198

mtsfoni commented 1 week ago

I would suspect those values are not generated by the tool but read from a source.

Where exactly are those invalid uri's in your sbom? Can you provide me steps to reproduce?

Recurse-blip commented 1 week ago

@mtsfoni I will provide a test project to reproduce

Recurse-blip commented 1 week ago

I would suspect those values are not generated by the tool but read from a source.

Where exactly are those invalid uri's in your sbom? Can you provide me steps to reproduce?

See the bom.xml generated here :

https://github.com/Recurse-blip/cyclonedx_giturl/actions/runs/9714725731/job/26814458493

You will see that there is an URL with this content : 

git@github.com:LordVeovis/xmlrpc.git

It should be converted to a valid URL such as git+http://github.com/LordVeovis/xmlrpc.git

mtsfoni commented 1 week ago

The source of the problem is obviously here: https://github.com/LordVeovis/xmlrpc/blob/2f6fc86d85d0eab0f26a73ba9e2a1d0cc9be26f7/Kveer.XmlRPC/Kveer.XmlRPC.csproj#L19

Even if rubbish comes in, this tool should still generate a valid cyclonedx file.

I think we should add a check when we fill URLs if they are valid. If it isn't, we could probably delete it (easy solution). Alternatively, somebody could build a system that reliably replaces those, but that adds more complexity.

jkowalleck commented 1 day ago

I think we should add a check when we fill URLs if they are valid. If it isn't, we could probably delete it

doing the same for XML in PHP https://github.com/CycloneDX/cyclonedx-php-library/blob/fab6f93979fc43cb64d0d15d086a565e2b7072d2/src/Core/_helpers/XML.php#L62-L76

anyway, for field where you know it could be a git-ssh address - like externalReference of type VCS, you should not throw the data away, but transform it accordingly. a string in the format of <user>@<host>:<path> can be converted to git+ssh://<user>@<host>/<path> according to all specs.