diff --git a/pom.xml b/pom.xml
index 53337bf5aa..54b790f9ac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -93,7 +93,7 @@
1.26.1
1.4.2
1.0.1
- 9.0.3
+ 9.0.4
1.6.15
2.17.1
2.17.1
@@ -338,19 +338,6 @@
${lib.cloud-sql-connector-jdbc-sqlserver.version}
-
-
- xerces
- xercesImpl
- 2.12.2
-
-
- xml-apis
- xml-apis
-
-
-
-
org.apache.commons
commons-compress
diff --git a/src/main/java/org/dependencytrack/util/XmlUtil.java b/src/main/java/org/dependencytrack/util/XmlUtil.java
index 2bb2f549a9..beb4f9bb2d 100644
--- a/src/main/java/org/dependencytrack/util/XmlUtil.java
+++ b/src/main/java/org/dependencytrack/util/XmlUtil.java
@@ -18,83 +18,14 @@
*/
package org.dependencytrack.util;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXNotRecognizedException;
-import org.xml.sax.SAXNotSupportedException;
-
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
-import java.io.InputStream;
-
-import static org.apache.xerces.jaxp.JAXPConstants.JAXP_SCHEMA_LANGUAGE;
-
-import static org.apache.xerces.jaxp.JAXPConstants.JAXP_SCHEMA_SOURCE;
-import static org.apache.xerces.jaxp.JAXPConstants.W3C_XML_SCHEMA;
-
public final class XmlUtil {
- private XmlUtil() { }
-
- /**
- * Constructs a validating secure SAX Parser.
- *
- * @param schemaStream One or more inputStreams with the schema(s) that the
- * parser should be able to validate the XML against, one InputStream per
- * schema
- * @return a SAX Parser
- * @throws javax.xml.parsers.ParserConfigurationException is thrown if there
- * is a parser configuration exception
- * @throws org.xml.sax.SAXNotRecognizedException thrown if there is an
- * unrecognized feature
- * @throws org.xml.sax.SAXNotSupportedException thrown if there is a
- * non-supported feature
- * @throws org.xml.sax.SAXException is thrown if there is a
- * org.xml.sax.SAXException
- */
- public static SAXParser buildSecureSaxParser(InputStream... schemaStream) throws ParserConfigurationException,
- SAXNotRecognizedException, SAXNotSupportedException, SAXException {
- final SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setNamespaceAware(true);
- factory.setValidating(true);
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
- factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
- factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
- System.setProperty("javax.xml.accessExternalSchema", "file, https");
-
- final SAXParser saxParser = factory.newSAXParser();
- saxParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA);
- saxParser.setProperty(JAXP_SCHEMA_SOURCE, schemaStream);
- return saxParser;
- }
-
- /**
- * Constructs a secure SAX Parser.
- *
- * @return a SAX Parser
- * @throws javax.xml.parsers.ParserConfigurationException thrown if there is
- * a parser configuration exception
- * @throws org.xml.sax.SAXNotRecognizedException thrown if there is an
- * unrecognized feature
- * @throws org.xml.sax.SAXNotSupportedException thrown if there is a
- * non-supported feature
- * @throws org.xml.sax.SAXException is thrown if there is a
- * org.xml.sax.SAXException
- */
- public static SAXParser buildSecureSaxParser() throws ParserConfigurationException,
- SAXNotRecognizedException, SAXNotSupportedException, SAXException {
- final SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
- return factory.newSAXParser();
+ private XmlUtil() {
}
/**
@@ -102,7 +33,7 @@ public static SAXParser buildSecureSaxParser() throws ParserConfigurationExcepti
*
* @return a new document builder
* @throws javax.xml.parsers.ParserConfigurationException thrown if there is
- * a parser configuration exception
+ * a parser configuration exception
*/
public static DocumentBuilder buildSecureDocumentBuilder() throws ParserConfigurationException {
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
diff --git a/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java b/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
index 6312107a82..fc783623d0 100644
--- a/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
+++ b/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
@@ -218,4 +218,27 @@ public void testValidateWithValidBom(final Path bomFilePath) throws Exception {
assertThatNoException().isThrownBy(() -> validator.validate(bomBytes));
}
+ @Test // https://github.com/DependencyTrack/dependency-track/issues/3831
+ public void testValidateJsonWithUrlContainingEncodedBrackets() {
+ assertThatNoException()
+ .isThrownBy(() -> validator.validate("""
+ {
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.5",
+ "components": [
+ {
+ "type": "library",
+ "name": "acme-library",
+ "externalReferences": [
+ {
+ "type": "website",
+ "url": "https://example.com/foo?bar=%5Bbaz%5D"
+ }
+ ]
+ }
+ ]
+ }
+ """.getBytes()));
+ }
+
}
\ No newline at end of file