[BUG] URL with quotation marks violates XML schema

[RSM-SLU]

Describe the bug

I'm using version 1.19.3 to generate an SBOM. One of the transitive dependencies of the project is polyfills shadycss. They list their bugs.url as "https://github.com/webcomponents/polyfills/issues?q=is%3Aissue+is%3Aopen+label%3A\"Package%3A+shadycss\"". This gets converted to "https://github.com/webcomponents/polyfills/issues?q=is%3Aissue\u002Bis%3Aopen\u002Blabel%3A\u0022Package%3A\u002Bshadycss\u0022".
When sending this URL as part of the SBOM uploaded to Dependecytrack, the schema validation fails with the following error:

{"status":400,"title":"The uploaded BOM is invalid","detail":"Schema validation failed","errors":["$.components[88].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference","$.components[88].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference","$.components[88].externalReferences[2].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$","$.components[88].externalReferences[2].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference","$.components[88].externalReferences[2].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"]}

This seems similar to the problem in CycloneDX/cyclonedx-node-npm#1198

To Reproduce

Add a bugs entry to the package.json similar to the one in shadycss:

"bugs": "https://github.com/webcomponents/polyfills/issues?q=is%3Aissue+is%3Aopen+label%3A\"Package%3A+shadycss\""

https://github.com/webcomponents/polyfills/blob/794d56d6276258f39f09108c5f2c9451609e0b94/packages/shadycss/package.json#L16C3-L16C117

Expected behavior

The URL needs to be sanitized and accepted by Dependencytrack for further processing.

Screenshots or output-paste

The externalReference in the generated SBOM looks like this:

{
    "url": "https://github.com/webcomponents/polyfills/issues?q=is%3Aissue\u002Bis%3Aopen\u002Blabel%3A\u0022Package%3A\u002Bshadycss\u0022",
    "type": "issue-tracker",
    "comment": "as detected from PackageJson property \u0022bugs.url\u0022"
}

Environment

• @cyclonedx/cyclonedx-npm version: 1.19.3
• NPM version: 10.7.0
• Node version: 20.14.0
• OS: Linux

Additional context

I develop in Java and this is a problem "caused" by our webframework using Node behind the scenes. As such, I won't be able to help much.

[jkowalleck]

@RSM-SLU could you help me shape a reproducible example?
which package is this, that causes this behavior?

[jkowalleck]

if it was just for the quote, a fix would happen here: https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/src/_helpers/uri.ts

therefore, i will move the ticket over to the library project.

[jkowalleck]

quick research and tests: a double-quot(") seams to be allowed character in iri-reference.
u will add a translation to %22 anyway, just to be safe.

[jkowalleck]

fix was released via https://github.com/CycloneDX/cyclonedx-javascript-library/releases/tag/v6.11.1