Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CycloneDX sbom cannot be imported because of validation issue Error 400 when advisory url contains spaces #3900

Closed
2 tasks done
djeanprost opened this issue Jul 1, 2024 · 5 comments
Closed
2 tasks done

CycloneDX sbom cannot be imported because of validation issue Error 400 when advisory url contains spaces #3900

djeanprost opened this issue Jul 1, 2024 · 5 comments
Labels
wontfix This will not be worked on

Comments

@djeanprost
Copy link

Current Behavior

Hello

Trivy 0.52.2 has generated a sbom for me that contains this which I think is the cause of my error.

{
          "url": "https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14)"
        }

"Schema validation failed","errors":["$.vulnerabilities[73].advisories[9].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",

And one of the url is this one. I guess the space after commit id is the culprit.
As a workaround, I decided to disable temporarly schema validation.

Here is an extract of my sbom.

{
      "id": "CVE-2021-3733",
      "source": {
        "name": "debian",
        "url": "https://salsa.debian.org/security-tracker-team/security-tracker"
      },
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "bitnami"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4,
          "severity": "medium",
          "method": "CVSSv2",
          "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        400
      ],
      "description": "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2021-3733"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-3733"
        },
        {
          "url": "https://bugs.python.org/issue43075"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995234"
        },
        {
          "url": "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-14-final"
        },
        {
          "url": "https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-11-final"
        },
        {
          "url": "https://docs.python.org/3.8/whatsnew/changelog.html#python-3-8-10-final"
        },
        {
          "url": "https://docs.python.org/3.9/whatsnew/changelog.html#python-3-9-5-final"
        },
        {
          "url": "https://errata.almalinux.org/8/ALSA-2022-1821.html"
        },
        {
          "url": "https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14)"
        },
        {
          "url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb"
        },
        {
          "url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 (master)"
        },
        {
          "url": "https://github.com/python/cpython/commit/a21d4fbd549ec9685068a113660553d7f80d9b09 (3.9.5)"
        },
        {
          "url": "https://github.com/python/cpython/commit/ada14995870abddc277addf57dd690a2af04c2da (3.7.11)"
        },
        {
          "url": "https://github.com/python/cpython/commit/e7654b6046090914a8323931ed759a94a5f85d60 (3.8.10)"
        },
        {
          "url": "https://github.com/python/cpython/pull/24391"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2021-3733.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2022-1821.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220407-0001/"
        },
        {
          "url": "https://ubuntu.com/security/CVE-2021-3733"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5083-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5199-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5200-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3733"
        }
      ],
      "published": "2022-03-10T17:42:59+00:00",
      "updated": "2023-06-30T23:15:09+00:00",
      "affects": [
        {
          "ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "3.9.2-1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "3.9.2-1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "3.9.2-1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "3.9.2-1",
              "status": "affected"
            }
          ]
        }
      ]
    }

Steps to Reproduce

Expected Behavior

This sbom should be imported correctly. Could it be a trivy issue ?

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist
@djeanprost djeanprost added defect Something isn't working in triage labels Jul 1, 2024
@nscuro
Copy link
Member

nscuro commented Jul 1, 2024

This appears to be more like defect in Trivy rather than DT. Since DT is merely enforcing the CycloneDX schema, there's not much we can do from our side.

@VinodAnandan
Copy link
Contributor

Related PR - aquasecurity/trivy#6952

@knqyf263
Copy link

knqyf263 commented Jul 1, 2024
edited
Loading

It's actually a problem in Debian, but we worked it around on the Trivy end.
aquasecurity/trivy#6801

It will be shipped in v0.53.0, which is planned to be out today or tomorrow. You can subscribe the release PR. When it gets merged, v0.53.0 will be released.

@djeanprost
Copy link
Author

I think we can close the issue. Thank you for the deep answer.

@nscuro nscuro added wontfix This will not be worked on and removed defect Something isn't working pending more information labels Jul 1, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 1, 2024

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@knqyf263 @djeanprost @nscuro @VinodAnandan