Open svniedner opened 10 months ago
In looking at the error message and the JSON file, there is a bom-ref
pkg:npm/%40alloc/quick-lru@5.2.0?package-id=b305d29f2afda9d2
with an externalReferences
url value of sindresorhus/quick-lru
.
The SPDX validator validates any URL reference to match a specific string pattern.
I'm not sure if this is an invalid value for CycloneDX or not.
If it is invalid, the input file should be fixed.
If it is valid, then we would need to convert the string to a format that SPDX understands.
I get the following error message on a CycloneDx file (attached, has been renamed to .txt to make attachement possible):
docker run -v ./sboms:/cdx2spdx/sboms -it --rm cdx2spdx WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance. Error converinging a CycloneDX component to element: Invalid download location sindresorhus/quick-lru. Must match the pattern ^(NONE|NOASSERTION|(((git|hg|svn|bzr)+)?(http:\/\/www.|https:\/\/www.|http:\/\/|https:\/\/|ssh:\/\/|git:\/\/|svn:\/\/|sftp:\/\/|ftp:\/\/)?[a-z0-9]+([-.]{1}[a-z0-9]+){0,100}.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?)|(git+git@[a-zA-Z0-9.-]+:[a-zA-Z0-9/\.@-]+)|(bzr+lp:[a-zA-Z0-9.-]+))$
If I can do more to help sort this out, please let me know, I am unfortunately not a Java coder. rocket-chat.json.txt