Sanitize externalReferences URLs and exclude invalid ones + Strict JSON Schema validation #1130
Conversation
Signed-off-by: Maxime Robert <[email protected]>
Signed-off-by: Tim Messing <[email protected]> Signed-off-by: Maxime Robert <[email protected]>
| * @returns {Boolean} Flag indicating whether the supplied URL is valid or not | ||
| * | ||
| */ | ||
| export function isValidIriReference(url) { |
There was a problem hiding this comment.
Wondering if this can be replaced with a simple url parse and protocol checks?
There was a problem hiding this comment.
@timmyteo was doing a try/catch on new URL(), but it was allowing urls that are rejected by DependencyTrack. According to my tests, this is the best option to be compatible with DT (I also tried to validate using https://github.com/luzlab/ajv-formats-draft2019/blob/master/formats/iri-reference.js, but it was too permissive too).
Anyway, it needs more testing.
|
Great work @marob Tested this branch against some of my repos. BOM looks good. Uploaded to DTrack 4.11.1 with BOM Validation enabled without issues One observation: we may need to dedupe externalReferences after sanitization for example became |
|
Any ideas about the test failures? We may have to run it locally to troubleshoot, since the validation errors are not shown. |
I have no idea what those tests are doing. On all the ones that fail, only this one is showing some details on the reason why: https://github.com/CycloneDX/cdxgen/actions/runs/9306982345/job/25617330208?pr=1130 |
|
|
|
Can I come up with another branch that doesn't use additional dependencies? If we have more test cases, that will help. |
| @@ -71,6 +71,7 @@ | |||
| "@npmcli/arborist": "7.5.2", | |||
| "ajv": "^8.14.0", | |||
| "ajv-formats": "^3.0.1", | |||
| "ajv-formats-draft2019": "^1.6.1", | |||
There was a problem hiding this comment.
I am having better success with validate-iri package.
import { validateIri, IriValidationStrategy } from 'validate-iri'
let yourIri = '[email protected]:behat-chrome/chrome-mink-driver.git'
console.log(validateIri(yourIri, IriValidationStrategy.Strict));
yourIri = '${repository.url}';
console.log(validateIri(yourIri, IriValidationStrategy.Strict));
yourIri = 'git+https://github.com/Alex-D/check-disk-space.git';
console.log(validateIri(yourIri, IriValidationStrategy.Strict));
There was a problem hiding this comment.
I was looking for some validation library but didn't find this one 👍
| @@ -90,7 +91,8 @@ | |||
| "tar": "^6.2.1", | |||
| "uuid": "^9.0.1", | |||
| "xml-js": "^1.6.11", | |||
| "yargs": "^17.7.2" | |||
| "yargs": "^17.7.2", | |||
| "hosted-git-info": "^7.0.2" | |||
There was a problem hiding this comment.
Let's not introduce this package and change the url format in this PR. We can drop any non-compliant urls, maybe with a log in DEBUG_MODE.
| @@ -35,7 +36,8 @@ export const validateBom = (bomJson) => { | |||
| ); | |||
| const ajv = new Ajv({ | |||
| schemas: [schema, defsSchema, spdxSchema], | |||
| strict: false, | |||
| strict: true, | |||
There was a problem hiding this comment.
Let's keep strict: false, since there could be many other data-quality issues.
| @@ -45,6 +47,7 @@ export const validateBom = (bomJson) => { | |||
| }, | |||
| }); | |||
| addFormats(ajv); | |||
| addFormatsDraft2019(ajv); | |||
There was a problem hiding this comment.
This is not required when we use validate-iri.
There was a problem hiding this comment.
This is required when strict is true
|
@marob Do you have time to look at the pending comments? |
|
Blocked by: #1134 |
|
We now have an implementation with validation alone that is merged in master. It currently logs the problematic urls and the then filters them. Let's work on the sanitize feature in a separate branch. |
|
@marob can you create a new branch to implement the sanitize feature for urls? |
|
@prabhu Should we create a branch to sanitize externalReference URLs? Do we need that feature? |
|
@marob definitely feel free to work on a new branch, although this is a lower priority atm due to lack of any requests from the community. |
The goal of this PR is to fix issue #1107
It should also replace #1128