[BUG] repository with git ssh url end up violating CycloneDX json schema - Githubissues

CycloneDX / cyclonedx-node-npm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.

https://cyclonedx.org/

Apache License 2.0

73 stars 20 forks source link

[BUG] repository with git ssh url end up violating CycloneDX json schema #1198

Closed valentijnscholten closed 4 months ago

valentijnscholten commented 4 months ago

Describe the bug

For projects that have a git SSH url in the repository section, this url ends up as externalReference in the generated SBOM. This is URL violates the JSON schema iri-reference. We ran into this in DependencyTrack

To Reproduce

Add a git ssh url to your repository section in the package.json

  "repository": {
    "type": "git",
    "url": "git@gitlab.dontcare.com:group/repo.git"
  },

Expected behavior

Although the input URL doesn't adhere to the iri-reference spec, it might be possible to convert these urls into a git+ssh://... style url. Similar to what is already done for known saas hosting platforms via https://www.npmjs.com/package/hosted-git-info

Screenshots or output-paste

Generated bom output:

 "externalReferences": [
        {
          "type": "vcs",
          "url": "git@gitlab.dontcare.com:group/repo.git",
          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
        },

Environment

@cyclonedx/cyclonedx-npm version: 1.19.0
NPM version: 9.4.0
Node version: 19.6.0
OS: Ubuntu 22.04LTS

jkowalleck commented 4 months ago

thanks for reporting, @valentijnscholten .

could you elaborate on how to reproduce? Maybe add a zip file with a complete project setup, or link to a github repo with a setup?

The current information is just not enough to craft a reproducible (regression) test from.

jkowalleck commented 4 months ago

some details on current sanitizing: there is none for unknown hosts...

see https://runkit.com/jkowalleck/667edd7d89e6c1000878b965

const hostedGitInfo = require("hosted-git-info")

const info1 = hostedGitInfo.fromUrl("git@github.com:group/repo.git", {})
console.log('info1', info1, info1.toString())

const info2 = hostedGitInfo.fromUrl("git@gitlab.example.com:group/repo.git", {})
console.log('info2', info2)

jkowalleck commented 4 months ago

@valentijnscholten , would you be willing to work on a solution to your problem?

jkowalleck commented 4 months ago

this might work, ... https://runkit.com/jkowalleck/667ee45ffa67ee0008c5f152

const GitUrlParse = require("git-url-parse");

const x1= GitUrlParse("http://github.com/IonicaBizau/node-git-url-parse.git");
console.log(x1);
console.log(x1.toString(x1.protocols == ['ssh'] ? 'git+ssh' : undefined));

const x2 = GitUrlParse("git@gitlab.example.com:IonicaBizau/node-git-url-parse.git");
console.log(x2);
console.log(x2.toString(x2.protocols == ['ssh'] ? 'git+ssh' : undefined));

jkowalleck commented 4 months ago

i will work on this very soon

jkowalleck commented 4 months ago

relevant docs: https://docs.npmjs.com/cli/v10/configuring-npm/package-json#repository

valentijnscholten commented 4 months ago

Thanks! I'll give it a go soon.

jkowalleck commented 4 months ago

v1.19.2 includes the fix