sbom-utility icon indicating copy to clipboard operation
sbom-utility copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Utility does not pass a valid SBOM

Open qwelol opened this issue 8 months ago • 3 comments

Describe the bug

The value "http://private%20package/" is a valid iri-reference.

Screenshots or output-paste

Problematic part of the SBOM file:

  {
     "type": "library",
     "name": "utils",
     "group": "@mui",
     "version": "5.14.17",
     "bom-ref": "pkg:npm/%40mui/[email protected]?vcs_url=git%2Bhttps%3A//github.com/mui/material-ui.git#packages/mui-utils",
     "author": "MUI Team",
     "description": "Utility functions for React components.",
     "licenses": [
       {
         "license": {
           "id": "MIT"
         }
       }
     ],
     "purl": "pkg:npm/%40mui/[email protected]?vcs_url=git%2Bhttps%3A//github.com/mui/material-ui.git#packages/mui-utils",
     "externalReferences": [
       {
         "url": "https://github.com/mui/material-ui/issues",
         "type": "issue-tracker",
         "comment": "as detected from PackageJson property \"bugs.url\""
       },
       {
         "url": "git+https://github.com/mui/material-ui.git#packages/mui-utils",
         "type": "vcs",
         "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
       },
       {
         "url": "http://private%20package",
         "type": "website",
         "comment": "as detected from PackageJson property \"homepage\""
       }
     ]
   },

Util output:

Image

Expected behavior

Validation passed

Additional context

At first I thought that the problem was in the sbom file generator, and created a issue for it. Perhaps it will also be interesting

qwelol avatar Feb 17 '25 14:02 qwelol