Schema validation fails with git style URL #890
Comments
Recurse-blip
changed the title
|
I would suspect those values are not generated by the tool but read from a source. Where exactly are those invalid uri's in your sbom? Can you provide me steps to reproduce? |
|
@mtsfoni I will provide a test project to reproduce |
See the bom.xml generated here : https://github.com/Recurse-blip/cyclonedx_giturl/actions/runs/9714725731/job/26814458493 You will see that there is an URL with this content : It should be converted to a valid URL such as |
|
The source of the problem is obviously here: https://github.com/LordVeovis/xmlrpc/blob/2f6fc86d85d0eab0f26a73ba9e2a1d0cc9be26f7/Kveer.XmlRPC/Kveer.XmlRPC.csproj#L19 Even if rubbish comes in, this tool should still generate a valid cyclonedx file. I think we should add a check when we fill URLs if they are valid. If it isn't, we could probably delete it (easy solution). Alternatively, somebody could build a system that reliably replaces those, but that adds more complexity. |
mtsfoni
added
enhancement
doing the same for XML in PHP https://github.com/CycloneDX/cyclonedx-php-library/blob/fab6f93979fc43cb64d0d15d086a565e2b7072d2/src/Core/_helpers/XML.php#L62-L76 anyway, for field where you know it could be a git-ssh address - like externalReference of type VCS, you should not throw the data away, but transform it accordingly. |
It seems that the CycloneDX tools generates invalid URL when generating the SBOM which fails the schema validation when trying to upload the BOM to dependency-track.
This is the error I get :
I think CycloneDX should convert those git style references to something like
git+ssh://...orgit+http://....gitwhich are valid URLs.Related issue :
DependencyTrack/dependency-track#3885
CycloneDX/cyclonedx-node-npm#1198
The text was updated successfully, but these errors were encountered: