CycloneDX BOM validation fails for git style externalReferences

[valentijnscholten]

Current Behavior

1. Generate a BOM with cyclonedx-npm
2. Observe an externalReference is added containing the git url of the project, i.e. git@gitlab.dontcare.com:group/repo.git

Steps to Reproduce

1. Upload the generated BOM to DT, or just attached bom-test.json.

When changing the value to git@gitlab.dontcare.comgroup/repo.git validation passes.

Expected Behavior

Not sure as git@gitlab.dontcare.com:group/repo.git is not a valid URI so probably also not a valid IRI?

I am still reporting it here to see what/if we can do something and for other that run into the same issue.

It looks like #3831, but really isn't.

ssh://git@gitlab.dontcare.com:group/repo.git also fails validation.

Maybe cyclonedx shouldn't output invalid URIs/IRIs?

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15

Browser

Google Chrome

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[nscuro]

@jkowalleck Do I remember correctly that you did something in cyclonedx-node-npm to fix / re-map SSH URLs?

[jkowalleck]

re https://github.com/DependencyTrack/dependency-track/issues/3885#issuecomment-2192371737

Do I remember correctly that you did something in cyclonedx-node-npm to fix / re-map SSH URLs?

You rememberer correctly, we do. The CycloneDX schema requires external references to comply to JSON schema 'iri-reference' and XML scheme xs:anyURI. In some package managers it is natively supported to use 'git@.../path' or '....git' as a repo URL.

Even though a git@gitlab.dontcare.com:group/repo.git might be understood by git, as it has handling for it, this value is still invalid to said schema. Therefore, we transform some well-known repo-hosters' URL to git+ssh://... or git+http://....git or similar. This is done via https://www.npmjs.com/package/hosted-git-info, which known these specific resolutions and endpoints. In general, I's say it would be possible to convert git@<host>:<path> URLs to git+ssh://git@<host>/<path>. But this is just my guts feeling - without any research done.

[valentijnscholten]

@jkowalleck Shall I raise an issue on https://github.com/CycloneDX/cyclonedx-node-npm/issues ?

[jkowalleck]

@jkowalleck Shall I raise an issue on https://github.com/CycloneDX/cyclonedx-node-npm/issues ?

Why not. here you go: https://github.com/CycloneDX/cyclonedx-node-npm/issues/new?assignees=&labels=bug&projects=&template=2-bug_report.md&title=%5BBUG%5D Please provide a reproducible setup and example.

[Recurse-blip]

I have the same issue trying to upload an SBOM generated with https://github.com/CycloneDX/cyclonedx-dotnet . When I try to upload to dependency track I get this error. Should I also open an issue there as well?

{
    "status": 400,
    "title": "The uploaded BOM is invalid",
    "detail": "Schema validation failed",
    "errors": [
        "cvc-datatype-valid.1.2.1: 'git@github.com:LordVeovis/xmlrpc.git' is not a valid value for 'anyURI'.",
        "cvc-type.3.1.3: The value 'git@github.com:LordVeovis/xmlrpc.git' of element 'url' is not valid."
    ]
}

[jkowalleck]

Should I also open an issue there as well?

@Recurse-blip , sure. Please report the situation, so tools may be improved.

[nscuro]

Is there anything expected from DT here? Can we close this? To my understanding we're merely enforcing the schema, and there's not much we can do about this.

On a related note, #3891 should allow users to disable / enable validation using tags. That way, it's not necessary to globally disable validation, only because a handful ob projects is blocked by invalid BOMs.

[valentijnscholten]

Can be closed