-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitize externalReferences URLs and exclude invalid ones + Strict JSON Schema validation #1130
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Maxime Robert <maxime.robert@smile.fr>
Signed-off-by: Tim Messing <141575989+timmyteo@users.noreply.github.com> Signed-off-by: Maxime Robert <maxime.robert@smile.fr>
* @returns {Boolean} Flag indicating whether the supplied URL is valid or not | ||
* | ||
*/ | ||
export function isValidIriReference(url) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if this can be replaced with a simple url parse and protocol checks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@timmyteo was doing a try/catch on new URL()
, but it was allowing urls that are rejected by DependencyTrack. According to my tests, this is the best option to be compatible with DT (I also tried to validate using https://github.com/luzlab/ajv-formats-draft2019/blob/master/formats/iri-reference.js, but it was too permissive too).
Anyway, it needs more testing.
Great work @marob Tested this branch against some of my repos. BOM looks good. Uploaded to DTrack 4.11.1 with BOM Validation enabled without issues One observation: we may need to dedupe externalReferences after sanitization for example
became
|
Any ideas about the test failures? We may have to run it locally to troubleshoot, since the validation errors are not shown. |
I have no idea what those tests are doing. On all the ones that fail, only this one is showing some details on the reason why: https://github.com/CycloneDX/cdxgen/actions/runs/9306982345/job/25617330208?pr=1130 |
|
Can I come up with another branch that doesn't use additional dependencies? If we have more test cases, that will help. |
@@ -71,6 +71,7 @@ | |||
"@npmcli/arborist": "7.5.2", | |||
"ajv": "^8.14.0", | |||
"ajv-formats": "^3.0.1", | |||
"ajv-formats-draft2019": "^1.6.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am having better success with validate-iri package.
import { validateIri, IriValidationStrategy } from 'validate-iri'
let yourIri = 'git@gitlab.com:behat-chrome/chrome-mink-driver.git'
console.log(validateIri(yourIri, IriValidationStrategy.Strict));
yourIri = '${repository.url}';
console.log(validateIri(yourIri, IriValidationStrategy.Strict));
yourIri = 'git+https://github.com/Alex-D/check-disk-space.git';
console.log(validateIri(yourIri, IriValidationStrategy.Strict));
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was looking for some validation library but didn't find this one 👍
@@ -90,7 +91,8 @@ | |||
"tar": "^6.2.1", | |||
"uuid": "^9.0.1", | |||
"xml-js": "^1.6.11", | |||
"yargs": "^17.7.2" | |||
"yargs": "^17.7.2", | |||
"hosted-git-info": "^7.0.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's not introduce this package and change the url format in this PR. We can drop any non-compliant urls, maybe with a log in DEBUG_MODE.
@@ -35,7 +36,8 @@ export const validateBom = (bomJson) => { | |||
); | |||
const ajv = new Ajv({ | |||
schemas: [schema, defsSchema, spdxSchema], | |||
strict: false, | |||
strict: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep strict: false
, since there could be many other data-quality issues.
@@ -45,6 +47,7 @@ export const validateBom = (bomJson) => { | |||
}, | |||
}); | |||
addFormats(ajv); | |||
addFormatsDraft2019(ajv); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not required when we use validate-iri.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is required when strict is true
@marob Do you have time to look at the pending comments? |
Blocked by: #1134 |
We now have an implementation with validation alone that is merged in master. It currently logs the problematic urls and the then filters them. Let's work on the sanitize feature in a separate branch. |
@marob can you create a new branch to implement the sanitize feature for urls? |
@prabhu Should we create a branch to sanitize externalReference URLs? Do we need that feature? |
@marob definitely feel free to work on a new branch, although this is a lower priority atm due to lack of any requests from the community. |
The goal of this PR is to fix issue #1107
It should also replace #1128