Fix BOM validation failing when URL contains encoded [ and ] char…

…acters Also drop dependency on outdated `xercesImpl`. `xercesImpl` does not support the `http://javax.xml.XMLConstants/property/accessExternalDTD` property that `cyclonedx-core-java` is using: ``` java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized. at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source) at org.cyclonedx.parsers.XmlParser.createSecureDocument(XmlParser.java:339) at org.cyclonedx.parsers.XmlParser.extractAllNamespaceDeclarations(XmlParser.java:310) at org.cyclonedx.parsers.XmlParser.identifySchemaVersion(XmlParser.java:296) at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:97) ``` ~The remaining code relying on `xerces` turned out to be unused, and was consequently removed as well.~ Code depending on `xercesImpl` was removed already. Ports DependencyTrack/dependency-track#3866 from Dependency-Track v4.11.4. Signed-off-by: nscuro <nscuro@protonmail.com>
DependencyTrack · Jun 24, 2024 · 52173ce · 52173ce
1 parent 4a760c5
commit 52173ce
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 13 deletions.
diff --git a/pom.xml b/pom.xml
@@ -92,7 +92,7 @@
         <lib.cpe-parser.version>2.1.0</lib.cpe-parser.version>
         <lib.cvss-calculator.version>1.4.3</lib.cvss-calculator.version>
         <lib.owasp-rr-calculator.version>1.0.1</lib.owasp-rr-calculator.version>
-        <lib.cyclonedx-java.version>9.0.3</lib.cyclonedx-java.version>
+        <lib.cyclonedx-java.version>9.0.4</lib.cyclonedx-java.version>
         <lib.jackson.version>2.17.1</lib.jackson.version>
         <lib.jackson-databind.version>2.17.1</lib.jackson-databind.version>
         <lib.jaxb.runtime.version>2.3.6</lib.jaxb.runtime.version>
@@ -391,18 +391,6 @@
             <version>${lib.liquibase.version}</version>
         </dependency>
 
-        <!-- Xerces -->
-        <dependency>
-            <groupId>xerces</groupId>
-            <artifactId>xercesImpl</artifactId>
-            <version>2.12.2</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>xml-apis</groupId>
-                    <artifactId>xml-apis</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
         <!-- Commons Compress -->
         <dependency>
             <groupId>org.apache.commons</groupId>

diff --git a/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java b/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
@@ -218,4 +218,27 @@ public void testValidateWithValidBom(final Path bomFilePath) throws Exception {
         assertThatNoException().isThrownBy(() -> validator.validate(bomBytes));
     }
 
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/3831
+    public void testValidateJsonWithUrlContainingEncodedBrackets() {
+        assertThatNoException()
+                .isThrownBy(() -> validator.validate("""
+                        {
+                          "bomFormat": "CycloneDX",
+                          "specVersion": "1.5",
+                          "components": [
+                            {
+                              "type": "library",
+                              "name": "acme-library",
+                              "externalReferences": [
+                                {
+                                  "type": "website",
+                                  "url": "https://example.com/foo?bar=%5Bbaz%5D"
+                                }
+                              ]
+                            }
+                          ]
+                        }
+                        """.getBytes()));
+    }
+
 }