DependencyTrack
CycloneDX BOM validation fails for git style externalReferences
Current Behavior
- Generate a BOM with cyclonedx-npm
- Observe an
externalReferenceis added containing the git url of the project, i.e.[email protected]:group/repo.git
Steps to Reproduce
- Upload the generated BOM to DT, or just attached bom-test.json.
When changing the value to [email protected]/repo.git validation passes.
Expected Behavior
Not sure as [email protected]:group/repo.git is not a valid URI so probably also not a valid IRI?
I am still reporting it here to see what/if we can do something and for other that run into the same issue.
It looks like #3831, but really isn't.
ssh://[email protected]:group/repo.git also fails validation.
Maybe cyclonedx shouldn't output invalid URIs/IRIs?
Dependency-Track Version
4.11.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
15
Browser
Google Chrome
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this defect was already reported
@jkowalleck Do I remember correctly that you did something in cyclonedx-node-npm to fix / re-map SSH URLs?
re https://github.com/DependencyTrack/dependency-track/issues/3885#issuecomment-2192371737
Do I remember correctly that you did something in cyclonedx-node-npm to fix / re-map SSH URLs?
You rememberer correctly, we do.
The CycloneDX schema requires external references to comply to JSON schema 'iri-reference' and XML scheme xs:anyURI.
In some package managers it is natively supported to use 'git@.../path' or '....git' as a repo URL.
Even though a [email protected]:group/repo.git might be understood by git, as it has handling for it, this value is still invalid to said schema.
Therefore, we transform some well-known repo-hosters' URL to git+ssh://... or git+http://....git or similar. This is done via https://www.npmjs.com/package/hosted-git-info, which known these specific resolutions and endpoints.
In general, I's say it would be possible to convert git@<host>:<path> URLs to git+ssh://git@<host>/<path>. But this is just my guts feeling - without any research done.
@jkowalleck Shall I raise an issue on https://github.com/CycloneDX/cyclonedx-node-npm/issues ?
@jkowalleck Shall I raise an issue on https://github.com/CycloneDX/cyclonedx-node-npm/issues ?
Why not. here you go: https://github.com/CycloneDX/cyclonedx-node-npm/issues/new?assignees=&labels=bug&projects=&template=2-bug_report.md&title=%5BBUG%5D Please provide a reproducible setup and example.
I have the same issue trying to upload an SBOM generated with https://github.com/CycloneDX/cyclonedx-dotnet . When I try to upload to dependency track I get this error. Should I also open an issue there as well?
{
"status": 400,
"title": "The uploaded BOM is invalid",
"detail": "Schema validation failed",
"errors": [
"cvc-datatype-valid.1.2.1: '[email protected]:LordVeovis/xmlrpc.git' is not a valid value for 'anyURI'.",
"cvc-type.3.1.3: The value '[email protected]:LordVeovis/xmlrpc.git' of element 'url' is not valid."
]
}
Should I also open an issue there as well?
@Recurse-blip , sure. Please report the situation, so tools may be improved.
Is there anything expected from DT here? Can we close this? To my understanding we're merely enforcing the schema, and there's not much we can do about this.
On a related note, #3891 should allow users to disable / enable validation using tags. That way, it's not necessary to globally disable validation, only because a handful ob projects is blocked by invalid BOMs.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}