Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] repository with git ssh url end up violating CycloneDX json schema #1198

Closed
valentijnscholten opened this issue Jun 28, 2024 · 8 comments · Fixed by #1202
Closed

[BUG] repository with git ssh url end up violating CycloneDX json schema #1198

valentijnscholten opened this issue Jun 28, 2024 · 8 comments · Fixed by #1202
Assignees
@jkowalleck
Labels
bug Something isn't working

Comments

@valentijnscholten
Copy link

Describe the bug

For projects that have a git SSH url in the repository section, this url ends up as externalReference in the generated SBOM.
This is URL violates the JSON schema iri-reference. We ran into this in DependencyTrack

To Reproduce

Add a git ssh url to your repository section in the package.json

  "repository": {
    "type": "git",
    "url": "[email protected]:group/repo.git"
  },

Expected behavior

Although the input URL doesn't adhere to the iri-reference spec, it might be possible to convert these urls into a git+ssh://... style url. Similar to what is already done for known saas hosting platforms via https://www.npmjs.com/package/hosted-git-info

Screenshots or output-paste

Generated bom output:

 "externalReferences": [
        {
          "type": "vcs",
          "url": "[email protected]:group/repo.git",
          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
        },

Environment

  • @cyclonedx/cyclonedx-npm version: 1.19.0
  • NPM version: 9.4.0
  • Node version: 19.6.0
  • OS: Ubuntu 22.04LTS
@valentijnscholten valentijnscholten added the bug Something isn't working label Jun 28, 2024
@Recurse-blip Recurse-blip mentioned this issue Jun 28, 2024
Open
@jkowalleck
Copy link
Member

thanks for reporting, @valentijnscholten .

could you elaborate on how to reproduce?
Maybe add a zip file with a complete project setup, or link to a github repo with a setup?

The current information is just not enough to craft a reproducible (regression) test from.

@jkowalleck
Copy link
Member

jkowalleck commented Jun 28, 2024
edited
Loading

some details on current sanitizing: there is none for unknown hosts...

see https://runkit.com/jkowalleck/667edd7d89e6c1000878b965

const hostedGitInfo = require("hosted-git-info")

const info1 = hostedGitInfo.fromUrl("[email protected]:group/repo.git", {})
console.log('info1', info1, info1.toString())

const info2 = hostedGitInfo.fromUrl("[email protected]:group/repo.git", {})
console.log('info2', info2)

@jkowalleck
Copy link
Member

@valentijnscholten , would you be willing to work on a solution to your problem?

@jkowalleck
Copy link
Member

jkowalleck commented Jun 28, 2024
edited
Loading

this might work, ... https://runkit.com/jkowalleck/667ee45ffa67ee0008c5f152

const GitUrlParse = require("git-url-parse");

const x1= GitUrlParse("https://github.com/IonicaBizau/node-git-url-parse.git");
console.log(x1);
console.log(x1.toString(x1.protocols == ['ssh'] ? 'git+ssh' : undefined));

const x2 = GitUrlParse("[email protected]:IonicaBizau/node-git-url-parse.git");
console.log(x2);
console.log(x2.toString(x2.protocols == ['ssh'] ? 'git+ssh' : undefined));

@jkowalleck jkowalleck added the help wanted Extra attention is needed label Jun 28, 2024
@jkowalleck
Copy link
Member

i will work on this very soon

@jkowalleck jkowalleck self-assigned this Jul 9, 2024
@jkowalleck jkowalleck removed the help wanted Extra attention is needed label Jul 9, 2024
@jkowalleck
Copy link
Member

relevant docs: https://docs.npmjs.com/cli/v10/configuring-npm/package-json#repository

@jkowalleck jkowalleck mentioned this issue Jul 9, 2024
Merged
@valentijnscholten
Copy link
Author

Thanks! I'll give it a go soon.

@jkowalleck
Copy link
Member

v1.19.2 includes the fix

@jkowalleck jkowalleck mentioned this issue Jul 10, 2024
Closed
This was referenced Aug 3, 2024
Open
Open
Open
Open
@MihikaNigam MihikaNigam mentioned this issue Aug 22, 2024
Open
@RSM-SLU RSM-SLU mentioned this issue Aug 30, 2024
Open
This was referenced Sep 8, 2024
Open
Open
Open
@MihikaNigam MihikaNigam mentioned this issue Sep 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: vcs url git ssh CycloneDX/cyclonedx-node-npm
2 participants
@jkowalleck @valentijnscholten