Skip to content

SBOM Validation not checking iri-referenceΒ #127

New issue
New issue
Open
Open
SBOM Validation not checking iri-reference#127
Assignees
mrutkows
Labels
invalidThis doesn't seem rightworking as designedThe description indicates the tool is working as designed
@Herve-M

Description

@Herve-M
Herve-M
opened on May 16, 2025

Hello!

While using this tool to validate SBOM to be uploaded to DT (v4.12 & v4.13), DT seems to always refuse them due to
$.components[XX].externalReferences[1].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference

Which seems related to DependencyTrack/dependency-track#3775.

Example with the file:

Welcome to the sbom-utility! Version 'v0.17.1' (sbom-utility) (windows/amd64)
=============================================================================
[INFO] Loading (embedded) default schema config file: 'config.json'...
[INFO] Loading (embedded) default license policy file: 'license.json'...
[INFO] Attempting to load and unmarshal data from: 'bom.json'...
[INFO] Successfully unmarshalled data from: 'bom.json'
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): 'CycloneDX', '1.4' (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Loading schema 'schema/cyclonedx/1.4/bom-1.4.schema.json'...
[INFO] Found schema dependencies: [jsf-0.82.schema.json spdx.schema.json]
[INFO] Added schema 'schema/cyclonedx/common/jsf-0.82.schema.json' to loader:...
[INFO] Added schema 'schema/cyclonedx/common/spdx.schema.json' to loader:...
[INFO] Compiling schema: 'schema/cyclonedx/1.4/bom-1.4.schema.json'...
[INFO] Schema 'schema/cyclonedx/1.4/bom-1.4.schema.json' loaded
[INFO] Validating 'bom.json'...
[INFO] BOM valid against JSON schema: 'true'

Output from DT v4.13:

{
    "status": 400,
    "title": "The uploaded BOM is invalid",
    "detail": "Schema validation failed",
    "errors": [
        "$.components[17].externalReferences[1].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[20].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[21].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
        "$.components[42].externalReferences[1].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference"
    ]
}

Part of the json sbom file failing, created from CycloneDX-net 5.2.0.0:

{
      "type": "library",
      "bom-ref": "pkg:nuget/[email protected]",
      "name": "Dapper",
      "version": "2.0.35",
      "description": "A high performance Micro-ORM supporting SQL Server, MySQL, Sqlite, SqlCE, Firebird etc..",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "E4E458FBDCF993F654704D916C40CC4FD6F040D952B8DF771141762FAB684022A711C9EBCF9290EA3DB83E0AC26A4CC896CC22F969E9A74F04BBD9E4C110236D"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "copyright": "2019 Stack Exchange, Inc.",
      "purl": "pkg:nuget/[email protected]",
      "externalReferences": [
        {
          "url": "https://github.com/StackExchange/Dapper",
          "type": "website"
        },
        {
          "url": "https://github.com/StackExchange/Dapper",
          "type": "vcs"
        }
      ]
    }

Metadata

Metadata

Assignees

Labels

invalidThis doesn't seem rightworking as designedThe description indicates the tool is working as designed

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions