Closed valentijnscholten closed 1 day ago
@jkowalleck Do I remember correctly that you did something in cyclonedx-node-npm to fix / re-map SSH URLs?
re https://github.com/DependencyTrack/dependency-track/issues/3885#issuecomment-2192371737
Do I remember correctly that you did something in cyclonedx-node-npm to fix / re-map SSH URLs?
You rememberer correctly, we do.
The CycloneDX schema requires external references to comply to JSON schema 'iri-reference' and XML scheme xs:anyURI
.
In some package managers it is natively supported to use 'git@.../path' or '....git' as a repo URL.
Even though a git@gitlab.dontcare.com:group/repo.git
might be understood by git, as it has handling for it, this value is still invalid to said schema.
Therefore, we transform some well-known repo-hosters' URL to git+ssh://...
or git+http://....git
or similar. This is done via https://www.npmjs.com/package/hosted-git-info, which known these specific resolutions and endpoints.
In general, I's say it would be possible to convert git@<host>:<path>
URLs to git+ssh://git@<host>/<path>
. But this is just my guts feeling - without any research done.
@jkowalleck Shall I raise an issue on https://github.com/CycloneDX/cyclonedx-node-npm/issues ?
@jkowalleck Shall I raise an issue on https://github.com/CycloneDX/cyclonedx-node-npm/issues ?
Why not. here you go: https://github.com/CycloneDX/cyclonedx-node-npm/issues/new?assignees=&labels=bug&projects=&template=2-bug_report.md&title=%5BBUG%5D Please provide a reproducible setup and example.
I have the same issue trying to upload an SBOM generated with https://github.com/CycloneDX/cyclonedx-dotnet . When I try to upload to dependency track I get this error. Should I also open an issue there as well?
{
"status": 400,
"title": "The uploaded BOM is invalid",
"detail": "Schema validation failed",
"errors": [
"cvc-datatype-valid.1.2.1: 'git@github.com:LordVeovis/xmlrpc.git' is not a valid value for 'anyURI'.",
"cvc-type.3.1.3: The value 'git@github.com:LordVeovis/xmlrpc.git' of element 'url' is not valid."
]
}
Should I also open an issue there as well?
@Recurse-blip , sure. Please report the situation, so tools may be improved.
Is there anything expected from DT here? Can we close this? To my understanding we're merely enforcing the schema, and there's not much we can do about this.
On a related note, #3891 should allow users to disable / enable validation using tags. That way, it's not necessary to globally disable validation, only because a handful ob projects is blocked by invalid BOMs.
Can be closed
Current Behavior
externalReference
is added containing the git url of the project, i.e.git@gitlab.dontcare.com:group/repo.git
Steps to Reproduce
When changing the value to
git@gitlab.dontcare.comgroup/repo.git
validation passes.Expected Behavior
Not sure as
git@gitlab.dontcare.com:group/repo.git
is not a valid URI so probably also not a valid IRI?I am still reporting it here to see what/if we can do something and for other that run into the same issue.
It looks like #3831, but really isn't.
ssh://git@gitlab.dontcare.com:group/repo.git
also fails validation.Maybe cyclonedx shouldn't output invalid URIs/IRIs?
Dependency-Track Version
4.11.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
15
Browser
Google Chrome
Checklist