CycloneDX SBOM output does not properly escape vulnerability URL

[umbertooo]

Description

In out build pipeline we use the Trivy generated SBOM and upload it into Dependency Track (https://github.com/DependencyTrack) . Since the latest release 4.11.0 of DT, they validated uploaded BOM against the CycloneDX schema. This leads to validation errors

...
$.vulnerabilities[83].advisories[6].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference
...

and Dependency Track stops processing this BOM.

References
DependencyTrack/dependency-track#3741
dotnet/sdk#41057 (comment)

Desired Behavior

The generated SBOM should properly encode special characters in URL. Given this URL https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL) should be encoded as https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0%20%282.35-TRIAL%29

Actual Behavior

This URL https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL) is output in the BOM as-is. (including parentheses and spaces).

complete output report.json

Reproduction Steps

1. `trivy image debian --format cyclonedx --scanners vuln --output report.json debian:bullseye`

As of today 2024-05-27 this report contains this vulnerability


{
      "id": "CVE-2023-31484",
      "source": {
        "name": "debian",
        "url": "https://salsa.debian.org/security-tracker-team/security-tracker"
      },
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 8.1,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        295
      ],
      "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.",
      "advisories": [
        ... **REDACTED**
        {
          "url": "https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL)"
        }
        ... **REDACTED**
      ],
      "published": "2023-04-29T00:15:09+00:00",
      "updated": "2023-11-07T04:14:19+00:00",
      "affects": [
        {
          "ref": "pkg:deb/debian/[email protected]%2Bdeb11u3?arch=amd64&distro=debian-11.9",
          "versions": [
            {
              "version": "5.32.1-4+deb11u3",
              "status": "affected"
            }
          ]
        }
      ]
    }

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-05-27T14:30:37Z    DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-05-27T14:30:37Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-27T14:30:37Z    DEBUG   Ignore statuses statuses=[]
2024-05-27T14:30:37Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-05-27T14:30:37Z    DEBUG   There is no valid metadata file err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2024-05-27T14:30:37Z    INFO    Need to update DB
2024-05-27T14:30:37Z    INFO    Downloading DB...       repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-27T14:30:37Z    DEBUG   No metadata file
2024-05-27T14:30:46Z    DEBUG   Updating database metadata...
2024-05-27T14:30:46Z    DEBUG   DB info schema=2 updated_at=2024-05-27T12:12:13.610701029Z next_update=2024-05-27T18:12:13.610700879Z downloaded_at=2024-05-27T14:30:46.278274876Z
2024-05-27T14:30:46Z    INFO    Vulnerability scanning is enabled
2024-05-27T14:30:46Z    DEBUG   Vulnerability type      type=[os library]
2024-05-27T14:30:46Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-27T14:30:47Z    DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-27T14:30:47Z    DEBUG   [image] Detected image ID       image_id="sha256:53ceee7f0775f861b4245d08192f7b32660e8193655f73b11cce8208a54f5769"
2024-05-27T14:30:47Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:82677505c894548130a3c97e95faa57399f02ea2fb97667d934fd6b807ea7108]
2024-05-27T14:30:47Z    DEBUG   [image] Detected base layers    diff_ids=[]
2024-05-27T14:30:47Z    DEBUG   [image] Missing image ID in cache       image_id="sha256:53ceee7f0775f861b4245d08192f7b32660e8193655f73b11cce8208a54f5769"
2024-05-27T14:30:47Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:82677505c894548130a3c97e95faa57399f02ea2fb97667d934fd6b807ea7108"
2024-05-27T14:30:55Z    DEBUG   No secrets found in container image config
2024-05-27T14:30:55Z    INFO    Detected OS     family="debian" version="11.9"
2024-05-27T14:30:55Z    INFO    [debian] Detecting vulnerabilities...   os_version="11" pkg_num=96
2024-05-27T14:30:55Z    INFO    Number of language-specific files       num=0

Operating System

Windows 10 (10.0.19045 Build 19045),Linux BWP-3260404 5.15.153.1-microsoft-standard-WSL2 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Version

Version: 0.51.2

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

duplicate of #6224