Special characters (tab, newline) in license URL

[scom-technology-operations]

What happened:

• We have created a CycloneDX-JSON of our Nexus installation with the last Syft version.
• The UserAgentUtils library version 1.21 is found there as a dependency.
• We have imported this CycloneDX-JSON into the latest version of Dependency-Track.
• There we get the error message:

'$.components[9].licenses[0].license.url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference'

What you expected to happen:

The license URL should be without special characters like newlines and tabs in the JSON field url.

Steps to reproduce the issue:

1. Download .jar file https://repo1.maven.org/maven2/eu/bitwalker/UserAgentUtils/1.21/UserAgentUtils-1.21.jar
2. syft --output cyclonedx-json=file.json --verbose

Anything else we need to know?:

• In the file /META-INF/maven/eu.bitwalker/UserAgentUtils/pom.xml the license field is defined as follows.

    <licenses>
        <license>
            <name>New BSD License</name>
            <url>
                http://user-agent-utils.googlecode.com/svn/trunk/UserAgentUtils/LICENSE.txt
            </url>
            <distribution>repo</distribution>
        </license>
    </licenses>

• In the CycloneDX-JSON from Syft the license entry is displayed as follows.

      "licenses": [
        {
          "license": {
            "name": "New BSD License",
            "url": "\n\t\t\t\thttp://user-agent-utils.googlecode.com/svn/trunk/UserAgentUtils/LICENSE.txt\n\t\t\t"
          }
        }
      ],

Environment:

• Output of syft version:

Application: syft Version: 1.11.0 BuildDate: 2024-08-09T17:52:25Z GitCommit: 19cc664cf8e7020dd692a62efcbba98ab670bde9 GitDescription: v1.11.0 Platform: linux/amd64 GoVersion: go1.22.5 Compiler: gc

• OS (cat /etc/os-release):

NAME="AlmaLinux" VERSION="9.4 (Seafoam Ocelot)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.4" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.4 (Seafoam Ocelot)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.4" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.4" SUPPORT_END=2032-06-01

• Dependency-Track

Version: 4.11.6

[spiffcs]

Thanks for the easy reproduce and bug report @scom-technology-operations! I've picked this up and will get a fix added for our next release.