fix: PackageUrlFactory omit empty ext-ref urls (#180)

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
+* Fixed
+  * `Factories.PackageUrlFactory` omits empty-string URLs for PackageUrl's qualifiers `download_url` & `vcs_url`. (via [#180]) 
+
+[#180]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/180
+
 ## 1.3.3 - 2022-08-16
 
 * Fixed

src/factories/packageUrl.ts

@@ -40,14 +40,25 @@ export class PackageUrlFactory {
     const qualifiers: PackageURL['qualifiers'] = {}
     let subpath: PackageURL['subpath']
 
-    const extRefs = component.externalReferences
-    for (const extRef of (sort ? extRefs.sorted() : extRefs)) {
+    // sorting to allow reproducibility: use the last instance for a `extRef.type`, if multiples exist
+    const extRefs = sort
+      ? component.externalReferences.sorted()
+      : component.externalReferences
+    for (const extRef of extRefs) {
+      const url = extRef.url.toString()
+      if (url.length <= 0) {
+        continue
+      }
+      // No further need for validation.
+      // According to https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
+      // there is no formal requirement to a `..._url`.
+      // Everything is possible: URL-encoded, not encoded, with schema, without schema
       switch (extRef.type) {
         case ExternalReferenceType.VCS:
-          [qualifiers.vcs_url, subpath] = extRef.url.toString().split('#', 2)
+          [qualifiers.vcs_url, subpath] = url.split('#', 2)
           break
         case ExternalReferenceType.Distribution:
-          qualifiers.download_url = extRef.url.toString()
+          qualifiers.download_url = url
           break
       }
     }

tests/integration/Factories.PackageUrlFactory.test.js

@@ -117,6 +117,24 @@ suite('Factories.PackageUrlFactory', () => {
       assert.deepStrictEqual(actual, expected)
     })
 
+    test('extRef empty url -> omit', () => {
+      const component = new Models.Component(
+        Enums.ComponentType.Library,
+        `name-${salt}`,
+        {
+          externalReferences: new Models.ExternalReferenceRepository([
+            new Models.ExternalReference('', Enums.ExternalReferenceType.VCS),
+            new Models.ExternalReference('', Enums.ExternalReferenceType.Distribution)
+          ])
+        }
+      )
+      const expected = new PackageURL('testing', undefined, `name-${salt}`, undefined, {}, undefined)
+
+      const actual = sut.makeFromComponent(component)
+
+      assert.deepStrictEqual(actual, expected)
+    })
+
     test('hashes -> qualifiers.checksum', () => {
       const component = new Models.Component(
         Enums.ComponentType.Library,
@@ -134,7 +152,7 @@ suite('Factories.PackageUrlFactory', () => {
       assert.deepStrictEqual(actual, expected)
     })
 
-    test('sorted', () => {
+    test('sorted hashes', () => {
       const component = new Models.Component(
         Enums.ComponentType.Library,
         'name',
@@ -164,5 +182,47 @@ suite('Factories.PackageUrlFactory', () => {
       assert.deepStrictEqual(actual, expectedObject)
       assert.deepStrictEqual(actual.toString(), expectedString)
     })
+
+    test('sorted references', () => {
+      const component1 = new Models.Component(
+        Enums.ComponentType.Library,
+        'name',
+        {
+          externalReferences: new Models.ExternalReferenceRepository([
+            new Models.ExternalReference('https://foo.bar/download-1', Enums.ExternalReferenceType.Distribution),
+            new Models.ExternalReference('git+https://foo.bar/repo.git', Enums.ExternalReferenceType.VCS),
+            new Models.ExternalReference('https://foo.bar/download-2', Enums.ExternalReferenceType.Distribution)
+          ])
+        }
+      )
+      const component2 = new Models.Component(
+        Enums.ComponentType.Library,
+        'name',
+        {
+          externalReferences: new Models.ExternalReferenceRepository([
+            // different order of extRefs
+            new Models.ExternalReference('https://foo.bar/download-2', Enums.ExternalReferenceType.Distribution),
+            new Models.ExternalReference('git+https://foo.bar/repo.git', Enums.ExternalReferenceType.VCS),
+            new Models.ExternalReference('https://foo.bar/download-1', Enums.ExternalReferenceType.Distribution)
+          ])
+        }
+      )
+      const expectedObject = new PackageURL('testing', undefined, 'name', undefined,
+        {
+          // expect sorted hash list
+          download_url: 'https://foo.bar/download-2',
+          vcs_url: 'git+https://foo.bar/repo.git'
+        }, undefined)
+      // expect objet's keys in alphabetical oder, expect sorted hash list
+      const expectedString = 'pkg:testing/name?download_url=https://foo.bar/download-2&vcs_url=git+https://foo.bar/repo.git'
+
+      const actual1 = sut.makeFromComponent(component1, true)
+      const actual2 = sut.makeFromComponent(component2, true)
+
+      assert.deepStrictEqual(actual1, expectedObject)
+      assert.deepStrictEqual(actual1.toString(), expectedString)
+      assert.deepStrictEqual(actual2, expectedObject)
+      assert.deepStrictEqual(actual2.toString(), expectedString)
+    })
   })
 })