Open jimklimov opened 1 day ago
For well-known patterns and hosts we can probably re-write those links before rendering (i.e. git+ssh://github.com
-> https://github.com
. However that will not always work, for example if the VCS host uses non-standard ports for HTTPS or SSH. Rewriting git+ssh://example.com:2222
to https://example.com:2222
might simply not be correct.
In cases where we don't recognize the protocol as "linkable", and we also cannot re-write it, we should probably render it as non-clickable string instead.
I suppose different toggles can be made (or sed-like replacement regexes for users to edit), but I did not mean rewriting ssh git URLs into http(s) at unspecified ports - not out of the box.
Internally we use client certificate based auth for HTTPS GitLab, so checkouts over HTTP are a no-go with standard client; over SSH are easy however. So no schema replacement here.
What I meant was to add a schema prefix (maybe guess per ^git@.*
match, or use the ^scm:SCHEMANAME:
info from valid BOM entry contents) for VCS "URLs" that had no schema originally.
If the href is currently unclickable - so be it (that's something that URL handler registration in browser/OS can address independently of DT).
Current Behavior
In my SBOM documents I have "components[] / externalReferences[]" as lists of objects like
{ "type": "vcs", "url": "scm:git:git@server:group/repo.git" }
where the URL-ish partgit@...
does not have any schema likegit+ssh://
or plainssh://
(its just is as it comes frompom.xml
files).In Dependency-Track web-ui such links are rendered verbatim, e.g.
scm:git:git@github.com:lukas-krecan/JsonUnit.git/json-unit-assertj
so the browser leads nowhere - and there's even no schema prefix to register a handler for, I think (musing aboutscm:git://
prefix for users to somehow deal with if desired, or smart rewrite into the more standardgit+ssh://git@github.com:lukas-krecan/JsonUnit.git/json-unit-assertj
right away?)Also note that URL entries mis-written as just
git@...
without anscm:git:...
prefix are rendered as relative links under the Dependency-Track server root URL (e.g.http://localhost:8080/components/git@...
), I suppose these links should always be absolute even if useless.Steps to Reproduce
Expected Behavior
git@...
links without a prefix/schema meangit+ssh://
in factDependency-Track Version
4.11.7
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Mozilla Firefox
Checklist