From d546749970f2c4304eb3d43253b12af3af9933be Mon Sep 17 00:00:00 2001
From: nscuro <nscuro@protonmail.com>
Date: Sat, 22 Jun 2024 18:13:48 +0200
Subject: [PATCH 1/2] Fix BOM validation failing when URL contains encoded `[`
 and `]` characters

Fixes #3831

Signed-off-by: nscuro <nscuro@protonmail.com>
---
 pom.xml                                       |  2 +-
 .../cyclonedx/CycloneDxValidatorTest.java     | 23 +++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 53337bf5a..717cbe0d0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -93,7 +93,7 @@
         <lib.commons-compress.version>1.26.1</lib.commons-compress.version>
         <lib.cvss-calculator.version>1.4.2</lib.cvss-calculator.version>
         <lib.owasp-rr-calculator.version>1.0.1</lib.owasp-rr-calculator.version>
-        <lib.cyclonedx-java.version>9.0.3</lib.cyclonedx-java.version>
+        <lib.cyclonedx-java.version>9.0.4</lib.cyclonedx-java.version>
         <lib.greenmail.version>1.6.15</lib.greenmail.version>
         <lib.jackson.version>2.17.1</lib.jackson.version>
         <lib.jackson-databind.version>2.17.1</lib.jackson-databind.version>
diff --git a/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java b/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
index 6312107a8..fc783623d 100644
--- a/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
+++ b/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
@@ -218,4 +218,27 @@ public void testValidateWithValidBom(final Path bomFilePath) throws Exception {
         assertThatNoException().isThrownBy(() -> validator.validate(bomBytes));
     }
 
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/3831
+    public void testValidateJsonWithUrlContainingEncodedBrackets() {
+        assertThatNoException()
+                .isThrownBy(() -> validator.validate("""
+                        {
+                          "bomFormat": "CycloneDX",
+                          "specVersion": "1.5",
+                          "components": [
+                            {
+                              "type": "library",
+                              "name": "acme-library",
+                              "externalReferences": [
+                                {
+                                  "type": "website",
+                                  "url": "https://example.com/foo?bar=%5Bbaz%5D"
+                                }
+                              ]
+                            }
+                          ]
+                        }
+                        """.getBytes()));
+    }
+
 }
\ No newline at end of file

From 5567233ba3babb78b27bd3149f1193741ad5a743 Mon Sep 17 00:00:00 2001
From: nscuro <nscuro@protonmail.com>
Date: Sat, 22 Jun 2024 18:48:18 +0200
Subject: [PATCH 2/2] Drop dependency on outdated `xerces`

`xerces` does not support the `http://javax.xml.XMLConstants/property/accessExternalDTD` property that `cyclonedx-core-java` is using:

```
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
	at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source)
	at org.cyclonedx.parsers.XmlParser.createSecureDocument(XmlParser.java:339)
	at org.cyclonedx.parsers.XmlParser.extractAllNamespaceDeclarations(XmlParser.java:310)
	at org.cyclonedx.parsers.XmlParser.identifySchemaVersion(XmlParser.java:296)
	at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:97)
```

The remaining code relying on `xerces` turned out to be unused, and was consequently removed as well.

Signed-off-by: nscuro <nscuro@protonmail.com>
---
 pom.xml                                       | 13 ----
 .../org/dependencytrack/util/XmlUtil.java     | 73 +------------------
 2 files changed, 2 insertions(+), 84 deletions(-)

diff --git a/pom.xml b/pom.xml
index 717cbe0d0..54b790f9a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -338,19 +338,6 @@
             <version>${lib.cloud-sql-connector-jdbc-sqlserver.version}</version>
         </dependency>
 
-        <!-- Xerces -->
-        <dependency>
-            <groupId>xerces</groupId>
-            <artifactId>xercesImpl</artifactId>
-            <version>2.12.2</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>xml-apis</groupId>
-                    <artifactId>xml-apis</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
diff --git a/src/main/java/org/dependencytrack/util/XmlUtil.java b/src/main/java/org/dependencytrack/util/XmlUtil.java
index 2bb2f549a..beb4f9bb2 100644
--- a/src/main/java/org/dependencytrack/util/XmlUtil.java
+++ b/src/main/java/org/dependencytrack/util/XmlUtil.java
@@ -18,83 +18,14 @@
  */
 package org.dependencytrack.util;
 
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXNotRecognizedException;
-import org.xml.sax.SAXNotSupportedException;
-
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
-import java.io.InputStream;
-
-import static org.apache.xerces.jaxp.JAXPConstants.JAXP_SCHEMA_LANGUAGE;
-
-import static org.apache.xerces.jaxp.JAXPConstants.JAXP_SCHEMA_SOURCE;
-import static org.apache.xerces.jaxp.JAXPConstants.W3C_XML_SCHEMA;
-
 
 public final class XmlUtil {
 
-    private XmlUtil() { }
-
-    /**
-     * Constructs a validating secure SAX Parser.
-     *
-     * @param schemaStream One or more inputStreams with the schema(s) that the
-     * parser should be able to validate the XML against, one InputStream per
-     * schema
-     * @return a SAX Parser
-     * @throws javax.xml.parsers.ParserConfigurationException is thrown if there
-     * is a parser configuration exception
-     * @throws org.xml.sax.SAXNotRecognizedException thrown if there is an
-     * unrecognized feature
-     * @throws org.xml.sax.SAXNotSupportedException thrown if there is a
-     * non-supported feature
-     * @throws org.xml.sax.SAXException is thrown if there is a
-     * org.xml.sax.SAXException
-     */
-    public static SAXParser buildSecureSaxParser(InputStream... schemaStream) throws ParserConfigurationException,
-            SAXNotRecognizedException, SAXNotSupportedException, SAXException {
-        final SAXParserFactory factory = SAXParserFactory.newInstance();
-        factory.setNamespaceAware(true);
-        factory.setValidating(true);
-        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
-        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-        System.setProperty("javax.xml.accessExternalSchema", "file, https");
-
-        final SAXParser saxParser = factory.newSAXParser();
-        saxParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA);
-        saxParser.setProperty(JAXP_SCHEMA_SOURCE, schemaStream);
-        return saxParser;
-    }
-
-    /**
-     * Constructs a secure SAX Parser.
-     *
-     * @return a SAX Parser
-     * @throws javax.xml.parsers.ParserConfigurationException thrown if there is
-     * a parser configuration exception
-     * @throws org.xml.sax.SAXNotRecognizedException thrown if there is an
-     * unrecognized feature
-     * @throws org.xml.sax.SAXNotSupportedException thrown if there is a
-     * non-supported feature
-     * @throws org.xml.sax.SAXException is thrown if there is a
-     * org.xml.sax.SAXException
-     */
-    public static SAXParser buildSecureSaxParser() throws ParserConfigurationException,
-            SAXNotRecognizedException, SAXNotSupportedException, SAXException {
-        final SAXParserFactory factory = SAXParserFactory.newInstance();
-        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        return factory.newSAXParser();
+    private XmlUtil() {
     }
 
     /**
@@ -102,7 +33,7 @@ public static SAXParser buildSecureSaxParser() throws ParserConfigurationExcepti
      *
      * @return a new document builder
      * @throws javax.xml.parsers.ParserConfigurationException thrown if there is
-     * a parser configuration exception
+     *                                                        a parser configuration exception
      */
     public static DocumentBuilder buildSecureDocumentBuilder() throws ParserConfigurationException {
         final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();