CycloneDX BOM validation fails when URLs contain %-encoded '[' and ']' characters

[4naesthetic]

Current Behavior

When BOM validation is enabled certain CycloneDX BOMs will erroneously fail to validate. This happens (at least) when a component entry contains an external reference with a URL containing %-encoded [ or ] characters (%5B and %5D) in the query string. When this occurs the following (sample) error message is returned from the /api/v1/bom endpoint:

{
    "status": 400,
    "title": "The uploaded BOM is invalid",
    "detail": "Schema validation failed",
    "errors": [
        "$.components[3].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[3].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[3].externalReferences[2].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$",
        "$.components[3].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[3].externalReferences[2].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"
    ]
}

This is due to a bug in the underlying json-schema-validator library used by cyclonedx-core-java (which Dependency Track uses for BOM validation). The bug has been fixed in the latest commit but a new release of json-schema-validator hasn't been published yet.

Steps to Reproduce

1. Enable BOM validation in the Administration panel.
2. Upload the following sample BOM to a new or existing project: bom-test.json

Expected Behavior

This BOM should pass validation and successfully populate the project with components.

Dependency-Track Version

4.12.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Thanks for identifying and fixing the issue in json-schema-validator!

Marked this as blocked since we'll have to wait for a validator release.

[Recurse-blip]

A release that contains the fix have been released in json-schema-validator
https://github.com/networknt/json-schema-validator/releases/tag/1.4.2

[nscuro]

Yup, and I merged an update into cyclonedx-core-java earlier today: CycloneDX/cyclonedx-core-java#436

There'll likely be a release of that shorty, closely followed by a v4.11.4 release of DT I reckon...

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.