Closed bombadil closed 6 months ago
A proper fix should probably escape the colon from the version in the CPE entry (if that is even possible).
@bombadil Thanks for the comment. The version string is valid as CycloneDX does not constrain the characters to be included in the version specified for a component. However I can see the issue with a CPE string if the version string contains a ':' and agree that the : should be escaped.
According to the CycloneDX Validator, the generated SBOM is valid.
I tried to use the tool on Ubuntu and used the zlib1g package as a guinea pig.
The resulting JSON file cannot be parsed with Dependency Track.
This warning disappears when removing the
1:
prefix from the version used in the generated CPE entry.