dependency-track
dependency-track copied to clipboard
Published
20 hours ago •
DependencyTrack
DependencyTrack
CycloneDX sbom cannot be imported because of validation issue Error 400 when advisory url contains spaces
Current Behavior
Hello
Trivy 0.52.2 has generated a sbom for me that contains this which I think is the cause of my error.
{
"url": "https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14)"
}
"Schema validation failed","errors":["$.vulnerabilities[73].advisories[9].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
And one of the url is this one. I guess the space after commit id is the culprit. As a workaround, I decided to disable temporarly schema validation.
Here is an extract of my sbom.
{
"id": "CVE-2021-3733",
"source": {
"name": "debian",
"url": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
"ratings": [
{
"source": {
"name": "alma"
},
"severity": "medium"
},
{
"source": {
"name": "amazon"
},
"severity": "medium"
},
{
"source": {
"name": "bitnami"
},
"score": 6.5,
"severity": "medium",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
},
{
"source": {
"name": "cbl-mariner"
},
"severity": "medium"
},
{
"source": {
"name": "nvd"
},
"score": 4,
"severity": "medium",
"method": "CVSSv2",
"vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
{
"source": {
"name": "nvd"
},
"score": 6.5,
"severity": "medium",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
},
{
"source": {
"name": "oracle-oval"
},
"severity": "medium"
},
{
"source": {
"name": "photon"
},
"severity": "medium"
},
{
"source": {
"name": "redhat"
},
"score": 6.5,
"severity": "medium",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"source": {
"name": "ubuntu"
},
"severity": "medium"
}
],
"cwes": [
400
],
"description": "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.",
"advisories": [
{
"url": "https://avd.aquasec.com/nvd/cve-2021-3733"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-3733"
},
{
"url": "https://bugs.python.org/issue43075"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995234"
},
{
"url": "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-14-final"
},
{
"url": "https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-11-final"
},
{
"url": "https://docs.python.org/3.8/whatsnew/changelog.html#python-3-8-10-final"
},
{
"url": "https://docs.python.org/3.9/whatsnew/changelog.html#python-3-9-5-final"
},
{
"url": "https://errata.almalinux.org/8/ALSA-2022-1821.html"
},
{
"url": "https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14)"
},
{
"url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb"
},
{
"url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 (master)"
},
{
"url": "https://github.com/python/cpython/commit/a21d4fbd549ec9685068a113660553d7f80d9b09 (3.9.5)"
},
{
"url": "https://github.com/python/cpython/commit/ada14995870abddc277addf57dd690a2af04c2da (3.7.11)"
},
{
"url": "https://github.com/python/cpython/commit/e7654b6046090914a8323931ed759a94a5f85d60 (3.8.10)"
},
{
"url": "https://github.com/python/cpython/pull/24391"
},
{
"url": "https://linux.oracle.com/cve/CVE-2021-3733.html"
},
{
"url": "https://linux.oracle.com/errata/ELSA-2022-1821.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220407-0001/"
},
{
"url": "https://ubuntu.com/security/CVE-2021-3733"
},
{
"url": "https://ubuntu.com/security/notices/USN-5083-1"
},
{
"url": "https://ubuntu.com/security/notices/USN-5199-1"
},
{
"url": "https://ubuntu.com/security/notices/USN-5200-1"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3733"
}
],
"published": "2022-03-10T17:42:59+00:00",
"updated": "2023-06-30T23:15:09+00:00",
"affects": [
{
"ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-11.9",
"versions": [
{
"version": "3.9.2-1",
"status": "affected"
}
]
},
{
"ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-11.9",
"versions": [
{
"version": "3.9.2-1",
"status": "affected"
}
]
},
{
"ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-11.9",
"versions": [
{
"version": "3.9.2-1",
"status": "affected"
}
]
},
{
"ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-11.9",
"versions": [
{
"version": "3.9.2-1",
"status": "affected"
}
]
}
]
}
Steps to Reproduce
Expected Behavior
This sbom should be imported correctly. Could it be a trivy issue ?
Dependency-Track Version
4.11.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this defect was already reported
