search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.44k stars 530 forks source link

CycloneDX BOM validation fails when URLs contain %-encoded '[' and ']' characters #3831

Closed 4naesthetic closed 1 week ago

4naesthetic commented 3 weeks ago

Current Behavior

When BOM validation is enabled certain CycloneDX BOMs will erroneously fail to validate. This happens (at least) when a component entry contains an external reference with a URL containing %-encoded [ or ] characters (%5B and %5D) in the query string. When this occurs the following (sample) error message is returned from the /api/v1/bom endpoint:

{
    "status": 400,
    "title": "The uploaded BOM is invalid",
    "detail": "Schema validation failed",
    "errors": [
        "$.components[3].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[3].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[3].externalReferences[2].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$",
        "$.components[3].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[3].externalReferences[2].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"
    ]
}

This is due to a bug in the underlying json-schema-validator library used by cyclonedx-core-java (which Dependency Track uses for BOM validation). The bug has been fixed in the latest commit but a new release of json-schema-validator hasn't been published yet.

Steps to Reproduce

  1. Enable BOM validation in the Administration panel.
  2. Upload the following sample BOM to a new or existing project: bom-test.json

Expected Behavior

This BOM should pass validation and successfully populate the project with components.

Dependency-Track Version

4.12.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

N/A

Checklist

nscuro commented 3 weeks ago

Thanks for identifying and fixing the issue in json-schema-validator!

Marked this as blocked since we'll have to wait for a validator release.

Recurse-blip commented 2 weeks ago

A release that contains the fix have been released in json-schema-validator https://github.com/networknt/json-schema-validator/releases/tag/1.4.2

nscuro commented 1 week ago

Yup, and I merged an update into cyclonedx-core-java earlier today: https://github.com/CycloneDX/cyclonedx-core-java/pull/436

There'll likely be a release of that shorty, closely followed by a v4.11.4 release of DT I reckon...