CycloneDX
Invalid license URL is generated
Hi,
Version 3.0.5 (tried also 3.0.8) seems to generate invalid license URL for one of the components. Note whitespace at the end:
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Mvc4Futures",
"version": "4.0.20710",
"description": "ASP.NET MVC Futures includes unsupported prototype features for ASP.NET MVC, from the MVC team.",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "FA3D285759CDD2BEDAD5632B267F76D0275DADE15B81EAA3DED2865B56C5A416E42BD558E1957E7A44D9BA63A719FCCBED30F586B7504ADE80441EA4F74C5031"
}
],
"licenses": [
{
"license": {
"name": "Unknown - See URL",
"url": "http://www.microsoft.com/web/webpi/eula/aspnetcomponent_enu.htm " <-- here
}
}
],
"copyright": "Microsoft",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "http://aspnet.codeplex.com/",
"type": "website"
}
]
}
BOM is generated as following:
dotnet cyclonedx "D:\BuildAgent\work\233fec8a519c12d7\Services\ServiceName\ServiceName.sln" -o dist\BOM
-f bom.json -j -sn "ServiceName" -sv 1.2.3.4 --github-username *** --github-token ***
Not sure where the whitespace comes from, component page on Nuget.org has a valid URL.
Would appreciate any help.
Okay, the nasty whitespace comes from nuspec file: https://api.nuget.org/v3-flatcontainer/Mvc4Futures/4.0.20710/Mvc4Futures.nuspec
Would it be possible/make sense to trim all urls for example?
I think a valid URL can never start or end with a whitespace, so I see no problem with that
True. DependencyTrack has recently started to validate BOMs according to the specification. It requires all URLs to be valid RFC 3987 IRI-references where whitespace is not a valid character.