Describe the bug
For projects that have a git SSH url in the repository section, this url ends up as externalReference in the generated SBOM.
This is URL violates the JSON schema iri-reference. We ran into this in DependencyTrack
To Reproduce
Add a git ssh url to your repository section in the package.json
"repository": {
"type": "git",
"url": "git@gitlab.dontcare.com:group/repo.git"
},
Expected behavior
Although the input URL doesn't adhere to the iri-reference spec, it might be possible to convert these urls into a git+ssh://... style url. Similar to what is already done for known saas hosting platforms via https://www.npmjs.com/package/hosted-git-info
Screenshots or output-paste
Generated bom output:
"externalReferences": [
{
"type": "vcs",
"url": "git@gitlab.dontcare.com:group/repo.git",
"comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
},
Environment
- @cyclonedx/cyclonedx-npm version: 1.19.0
- NPM version: 9.4.0
- Node version: 19.6.0
- OS: Ubuntu 22.04LTS
Describe the bug
For projects that have a git SSH url in the
repositorysection, this url ends up asexternalReferencein the generated SBOM.This is URL violates the JSON schema
iri-reference. We ran into this in DependencyTrackTo Reproduce
Add a git ssh url to your
repositorysection in thepackage.jsonExpected behavior
Although the input URL doesn't adhere to the
iri-referencespec, it might be possible to convert these urls into agit+ssh://...style url. Similar to what is already done for known saas hosting platforms via https://www.npmjs.com/package/hosted-git-infoScreenshots or output-paste
Generated bom output:
Environment