CycloneDX sbom cannot be imported because of validation issue Error 400 when advisory url contains spaces

djeanprost commented 1 week ago

Current Behavior

Hello

Trivy 0.52.2 has generated a sbom for me that contains this which I think is the cause of my error.

{
          "url": "https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14)"
        }

"Schema validation failed","errors":["$.vulnerabilities[73].advisories[9].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",

And one of the url is this one. I guess the space after commit id is the culprit. As a workaround, I decided to disable temporarly schema validation.

Here is an extract of my sbom.

{
      "id": "CVE-2021-3733",
      "source": {
        "name": "debian",
        "url": "https://salsa.debian.org/security-tracker-team/security-tracker"
      },
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "bitnami"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4,
          "severity": "medium",
          "method": "CVSSv2",
          "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        400
      ],
      "description": "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2021-3733"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-3733"
        },
        {
          "url": "https://bugs.python.org/issue43075"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995234"
        },
        {
          "url": "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-14-final"
        },
        {
          "url": "https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-11-final"
        },
        {
          "url": "https://docs.python.org/3.8/whatsnew/changelog.html#python-3-8-10-final"
        },
        {
          "url": "https://docs.python.org/3.9/whatsnew/changelog.html#python-3-9-5-final"
        },
        {
          "url": "https://errata.almalinux.org/8/ALSA-2022-1821.html"
        },
        {
          "url": "https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14)"
        },
        {
          "url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb"
        },
        {
          "url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 (master)"
        },
        {
          "url": "https://github.com/python/cpython/commit/a21d4fbd549ec9685068a113660553d7f80d9b09 (3.9.5)"
        },
        {
          "url": "https://github.com/python/cpython/commit/ada14995870abddc277addf57dd690a2af04c2da (3.7.11)"
        },
        {
          "url": "https://github.com/python/cpython/commit/e7654b6046090914a8323931ed759a94a5f85d60 (3.8.10)"
        },
        {
          "url": "https://github.com/python/cpython/pull/24391"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2021-3733.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2022-1821.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220407-0001/"
        },
        {
          "url": "https://ubuntu.com/security/CVE-2021-3733"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5083-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5199-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5200-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3733"
        }
      ],
      "published": "2022-03-10T17:42:59+00:00",
      "updated": "2023-06-30T23:15:09+00:00",
      "affects": [
        {
          "ref": "pkg:deb/debian/libpython3.9-minimal@3.9.2-1?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "3.9.2-1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:deb/debian/libpython3.9-stdlib@3.9.2-1?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "3.9.2-1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:deb/debian/python3.9-minimal@3.9.2-1?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "3.9.2-1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:deb/debian/python3.9@3.9.2-1?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "3.9.2-1",
              "status": "affected"
            }
          ]
        }
      ]
    }

Steps to Reproduce

1.

Expected Behavior

This sbom should be imported correctly. Could it be a trivy issue ?

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

[X] I have read and understand the contributing guidelines
[X] I have checked the existing issues for whether this defect was already reported

nscuro commented 1 week ago

This appears to be more like defect in Trivy rather than DT. Since DT is merely enforcing the CycloneDX schema, there's not much we can do from our side.

VinodAnandan commented 1 week ago

knqyf263 commented 1 week ago

It's actually a problem in Debian, but we worked it around on the Trivy end. https://github.com/aquasecurity/trivy/issues/6801

It will be shipped in v0.53.0, which is planned to be out today or tomorrow. You can subscribe the release PR. When it gets merged, v0.53.0 will be released.

djeanprost commented 1 week ago

I think we can close the issue. Thank you for the deep answer.

DependencyTrack / dependency-track