Closed 4naesthetic closed 1 week ago
Thanks for identifying and fixing the issue in json-schema-validator
!
Marked this as blocked since we'll have to wait for a validator release.
A release that contains the fix have been released in json-schema-validator
https://github.com/networknt/json-schema-validator/releases/tag/1.4.2
Yup, and I merged an update into cyclonedx-core-java
earlier today: https://github.com/CycloneDX/cyclonedx-core-java/pull/436
There'll likely be a release of that shorty, closely followed by a v4.11.4 release of DT I reckon...
Current Behavior
When BOM validation is enabled certain CycloneDX BOMs will erroneously fail to validate. This happens (at least) when a component entry contains an external reference with a URL containing %-encoded
[
or]
characters (%5B
and%5D
) in the query string. When this occurs the following (sample) error message is returned from the/api/v1/bom
endpoint:This is due to a bug in the underlying
json-schema-validator
library used by cyclonedx-core-java (which Dependency Track uses for BOM validation). The bug has been fixed in the latest commit but a new release ofjson-schema-validator
hasn't been published yet.Steps to Reproduce
Expected Behavior
This BOM should pass validation and successfully populate the project with components.
Dependency-Track Version
4.12.0-SNAPSHOT
Dependency-Track Distribution
Container Image
Database Server
H2
Database Server Version
No response
Browser
N/A
Checklist