Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add IRI Validation for externalReference URL #1140

Merged
merged 4 commits into from
Jun 5, 2024
Merged

Add IRI Validation for externalReference URL #1140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
18de031
Adding IRI validation/filtering
timmyteo Jun 5, 2024
686e170
Run linting
timmyteo Jun 5, 2024
eeac48c
Merge branch 'master' into feature/issue-1107-simple
timmyteo Jun 5, 2024
65a425b
Add debug logging for failed IRI that fail validation
timmyteo Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ import {
getSwiftPackageMetadata,
getTimestamp,
includeMavenTestScope,
isValidIriReference,
parseBazelActionGraph,
parseBazelSkyframe,
parseBdistMetadata,
Expand Down Expand Up @@ -726,7 +727,9 @@ function addExternalReferences(opkg) {
}
}
}
return externalReferences;
return externalReferences
.map((reference) => ({ ...reference, url: reference.url.trim() }))
.filter((reference) => isValidIriReference(reference.url));
}

/**
Expand Down
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,8 @@
"tar": "^6.2.1",
"uuid": "^9.0.1",
"xml-js": "^1.6.11",
"yargs": "^17.7.2"
"yargs": "^17.7.2",
"validate-iri": "^1.0.1"
},
"optionalDependencies": {
"@appthreat/atom": "2.0.12",
Expand Down
8 changes: 8 additions & 0 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion types/index.d.ts.map
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 12 additions & 0 deletions types/utils.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1119,6 +1119,18 @@ export function addEvidenceForDotnet(pkgList: any, slicesFile: any): any;
* @returns {Object} pkgFilesMap Object with package name and list of files
*/
export function parseMakeDFile(dfile: string): any;
/**
* Function to validate an externalReference URL for conforming to the JSON schema or bomLink
* https://github.com/CycloneDX/cyclonedx-core-java/blob/75575318b268dda9e2a290761d7db11b4f414255/src/main/resources/bom-1.5.schema.json#L1140
* https://datatracker.ietf.org/doc/html/rfc3987#section-2.2
* https://cyclonedx.org/capabilities/bomlink/
*
* @param {String} iri IRI to validate
*
* @returns {Boolean} Flag indicating whether the supplied URL is valid or not
*
*/
export function isValidIriReference(iri: string): boolean;
export const dirNameStr: string;
export const isWin: boolean;
export const isMac: boolean;
Expand Down
2 changes: 1 addition & 1 deletion types/utils.d.ts.map
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 25 additions & 0 deletions utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ import {
satisfies,
valid,
} from "semver";
import { IriValidationStrategy, validateIri } from "validate-iri";
import { xml2js } from "xml-js";
import { getTreeWithPlugin } from "./piptree.js";

Expand Down Expand Up @@ -10593,3 +10594,27 @@ export function parseMakeDFile(dfile) {
pkgFilesMap[pkgName] = Array.from(filesList);
return pkgFilesMap;
}

/**
* Function to validate an externalReference URL for conforming to the JSON schema or bomLink
* https://github.com/CycloneDX/cyclonedx-core-java/blob/75575318b268dda9e2a290761d7db11b4f414255/src/main/resources/bom-1.5.schema.json#L1140
* https://datatracker.ietf.org/doc/html/rfc3987#section-2.2
* https://cyclonedx.org/capabilities/bomlink/
*
* @param {String} iri IRI to validate
*
* @returns {Boolean} Flag indicating whether the supplied URL is valid or not
*
*/
export function isValidIriReference(iri) {
const result = validateIri(iri, IriValidationStrategy.Strict);

if (result instanceof Error) {
if (DEBUG_MODE) {
console.log(`IRI failed validation ${iri}`);
}
return false;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe log the url in debug mode?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added!

}

return true;
}
22 changes: 20 additions & 2 deletions utils.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import {
getNugetMetadata,
getPyMetadata,
guessPypiMatchingVersion,
isValidIriReference,
parseBazelActionGraph,
parseBazelBuild,
parseBazelSkyframe,
Expand Down Expand Up @@ -2658,8 +2659,8 @@ test("parsePnpmLock", async () => {
},
});
parsedList = await parsePnpmLock("./pnpm-lock.yaml");
expect(parsedList.pkgList.length).toEqual(643);
expect(parsedList.dependenciesList.length).toEqual(643);
expect(parsedList.pkgList.length).toEqual(644);
expect(parsedList.dependenciesList.length).toEqual(644);
expect(parsedList.pkgList[0]).toEqual({
group: "@ampproject",
name: "remapping",
Expand Down Expand Up @@ -4066,3 +4067,20 @@ test("parseMakeDFile tests", () => {
],
});
});

test.each([
["", false],
["[email protected]:behat-chrome/chrome-mink-driver.git", false],
[" [email protected]:behat-chrome/chrome-mink-driver.git ", false],
["${repository.url}", false],
// bomLink - https://cyclonedx.org/capabilities/bomlink/]
["urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1#componentA", true],
// http uri - https://www.ietf.org/rfc/rfc7230.txt]
["https://gitlab.com/behat-chrome/chrome-mink-driver.git", true],
[" https://gitlab.com/behat-chrome/chrome-mink-driver.git ", false],
["http://gitlab.com/behat-chrome/chrome-mink-driver.git", true],
["git+https://github.com/Alex-D/check-disk-space.git", true],
["UNKNOWN", false],
])("isValidIriReference tests: %s", (url, isValid) => {
expect(isValidIriReference(url)).toBe(isValid);
});
Loading