Open Recurse-blip opened 1 week ago
I would suspect those values are not generated by the tool but read from a source.
Where exactly are those invalid uri's in your sbom? Can you provide me steps to reproduce?
@mtsfoni I will provide a test project to reproduce
I would suspect those values are not generated by the tool but read from a source.
Where exactly are those invalid uri's in your sbom? Can you provide me steps to reproduce?
See the bom.xml generated here :
https://github.com/Recurse-blip/cyclonedx_giturl/actions/runs/9714725731/job/26814458493
You will see that there is an URL with this content :
git@github.com:LordVeovis/xmlrpc.git
It should be converted to a valid URL such as git+http://github.com/LordVeovis/xmlrpc.git
The source of the problem is obviously here: https://github.com/LordVeovis/xmlrpc/blob/2f6fc86d85d0eab0f26a73ba9e2a1d0cc9be26f7/Kveer.XmlRPC/Kveer.XmlRPC.csproj#L19
Even if rubbish comes in, this tool should still generate a valid cyclonedx file.
I think we should add a check when we fill URLs if they are valid. If it isn't, we could probably delete it (easy solution). Alternatively, somebody could build a system that reliably replaces those, but that adds more complexity.
I think we should add a check when we fill URLs if they are valid. If it isn't, we could probably delete it
doing the same for XML in PHP https://github.com/CycloneDX/cyclonedx-php-library/blob/fab6f93979fc43cb64d0d15d086a565e2b7072d2/src/Core/_helpers/XML.php#L62-L76
anyway, for field where you know it could be a git-ssh address - like externalReference of type VCS, you should not throw the data away, but transform it accordingly.
a string in the format of <user>@<host>:<path>
can be converted to git+ssh://<user>@<host>/<path>
according to all specs.
It seems that the CycloneDX tools generates invalid URL when generating the SBOM which fails the schema validation when trying to upload the BOM to dependency-track.
This is the error I get :
I think CycloneDX should convert those git style references to something like
git+ssh://...
orgit+http://....git
which are valid URLs.Related issue : https://github.com/DependencyTrack/dependency-track/issues/3885 https://github.com/CycloneDX/cyclonedx-node-npm/issues/1198