[BUG] repository with git ssh url end up violating CycloneDX json schema

[valentijnscholten]

Describe the bug

For projects that have a git SSH url in the repository section, this url ends up as externalReference in the generated SBOM.
This is URL violates the JSON schema iri-reference. We ran into this in DependencyTrack

To Reproduce

Add a git ssh url to your repository section in the package.json

  "repository": {
    "type": "git",
    "url": "git@gitlab.dontcare.com:group/repo.git"
  },

Expected behavior

Although the input URL doesn't adhere to the iri-reference spec, it might be possible to convert these urls into a git+ssh://... style url. Similar to what is already done for known saas hosting platforms via https://www.npmjs.com/package/hosted-git-info

Screenshots or output-paste

Generated bom output:

 "externalReferences": [
        {
          "type": "vcs",
          "url": "git@gitlab.dontcare.com:group/repo.git",
          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
        },

Environment

• @cyclonedx/cyclonedx-npm version: 1.19.0
• NPM version: 9.4.0
• Node version: 19.6.0
• OS: Ubuntu 22.04LTS

[jkowalleck]

thanks for reporting, @valentijnscholten .

could you elaborate on how to reproduce?
Maybe add a zip file with a complete project setup, or link to a github repo with a setup?

The current information is just not enough to craft a reproducible (regression) test from.

[jkowalleck]

some details on current sanitizing: there is none for unknown hosts...

see https://runkit.com/jkowalleck/667edd7d89e6c1000878b965

const hostedGitInfo = require("hosted-git-info")

const info1 = hostedGitInfo.fromUrl("git@github.com:group/repo.git", {})
console.log('info1', info1, info1.toString())

const info2 = hostedGitInfo.fromUrl("git@gitlab.example.com:group/repo.git", {})
console.log('info2', info2)

[jkowalleck]

@valentijnscholten , would you be willing to work on a solution to your problem?

[jkowalleck]

this might work, ... https://runkit.com/jkowalleck/667ee45ffa67ee0008c5f152

const GitUrlParse = require("git-url-parse");

const x1= GitUrlParse("http://github.com/IonicaBizau/node-git-url-parse.git");
console.log(x1);
console.log(x1.toString(x1.protocols == ['ssh'] ? 'git+ssh' : undefined));

const x2 = GitUrlParse("git@gitlab.example.com:IonicaBizau/node-git-url-parse.git");
console.log(x2);
console.log(x2.toString(x2.protocols == ['ssh'] ? 'git+ssh' : undefined));

[jkowalleck]

i will work on this very soon

[jkowalleck]

relevant docs: https://docs.npmjs.com/cli/v10/configuring-npm/package-json#repository

[valentijnscholten]

Thanks! I'll give it a go soon.

[jkowalleck]

v1.19.2 includes the fix