cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard
verified publisher icon CycloneDX

Simplified iri validation

Open prabhu opened this issue 1 year ago • 4 comments

Fixes #1244

@marob Any thoughts?

Turns out that there are bugs in the URL module in node 20 and 21! My latest commit only works in node 22 onwards.

I think we need to add more tests to validate-iri to prevent any future hangs.

prabhu avatar Jul 23 '24 20:07 prabhu

This would indeed simplify the code, but:

  • as you can see here, "http://" should be considered as valid. It's not by the new code, but to be honest, it was not by the previous code either. Anyway, in worst case, we remove something that should have been valid but don't break CycloneDX spec
  • " https://gitlab.com/behat-chrome/chrome-mink-driver.git " should be considered as invalid. It's not by the new code and was correctly handled by the previous one. So it would produce invalid SBOM.

I suppose there's plenty of other cases where there's false positive/negatives. Maybe a better solution would be to try to fix validate-iri lib to prevent infinite regex analysis?

marob avatar Jul 23 '24 21:07 marob

Regarding 2, we always trim before validation so the given test case may not happen?

The inspiration is to go for max validation without complex regex. I found validate-iri to be too complex to fix.

prabhu avatar Jul 23 '24 21:07 prabhu

Do we put the trimmed value in the SBOM or the original value?

marob avatar Jul 23 '24 21:07 marob

We put the trimmed value. So it looks OK for me.

marob avatar Jul 23 '24 21:07 marob