fix: Make sure CycloneDXSbomCreator handles URIs if it runs into a ba…

…d one (#170) 💥
sonatype-nexus-community · Feb 21, 2020 · d6d24ba · d6d24ba
1 parent 05d8ec9
commit d6d24ba
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/src/CycloneDX/CycloneDXSbomCreator.spec.ts b/src/CycloneDX/CycloneDXSbomCreator.spec.ts
@@ -25,6 +25,9 @@ const object = {
     testdependency: {
       name: 'testdependency',
       version: '1.0.1',
+      bugs: {
+        url: 'git+ssh://git@github.com/slackhq/csp-html-webpack-plugin.git',
+      },
       dependencies: {
         testdependency: {
           name: 'testdependency',
@@ -35,6 +38,9 @@ const object = {
     testdependency2: {
       name: 'testdependency2',
       version: '1.0.2',
+      repository: {
+        url: 'git@slack-github.com:anuj/csp-html-webpack-plugin.git',
+      },
       dependencies: {
         testdependency: {
           name: 'testdependency',
@@ -49,7 +55,7 @@ const object = {
   },
 };
 
-const expectedResponse = `<?xml version="1.0" encoding="utf-8"?><bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1"><components><component type="library" bom-ref="pkg:npm/testdependency@1.0.1"><name>testdependency</name><version>1.0.1</version><description/><purl>pkg:npm/testdependency@1.0.1</purl></component><component type="library" bom-ref="pkg:npm/testdependency2@1.0.2"><name>testdependency2</name><version>1.0.2</version><description/><purl>pkg:npm/testdependency2@1.0.2</purl></component><component type="library" bom-ref="pkg:npm/testdependency@1.0.0"><name>testdependency</name><version>1.0.0</version><description/><purl>pkg:npm/testdependency@1.0.0</purl></component><component type="library" bom-ref="pkg:npm/%40scope/testdependency3@1.0.2"><group>@scope</group><name>testdependency3</name><version>1.0.2</version><description/><purl>pkg:npm/%40scope/testdependency3@1.0.2</purl></component></components></bom>`;
+const expectedResponse = `<?xml version="1.0" encoding="utf-8"?><bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1"><components><component type="library" bom-ref="pkg:npm/testdependency@1.0.1"><name>testdependency</name><version>1.0.1</version><description/><purl>pkg:npm/testdependency@1.0.1</purl><externalReferences><reference type="issue-tracker"><url>git+ssh://git@github.com/slackhq/csp-html-webpack-plugin.git</url></reference></externalReferences></component><component type="library" bom-ref="pkg:npm/testdependency2@1.0.2"><name>testdependency2</name><version>1.0.2</version><description/><purl>pkg:npm/testdependency2@1.0.2</purl></component><component type="library" bom-ref="pkg:npm/testdependency@1.0.0"><name>testdependency</name><version>1.0.0</version><description/><purl>pkg:npm/testdependency@1.0.0</purl></component><component type="library" bom-ref="pkg:npm/%40scope/testdependency3@1.0.2"><group>@scope</group><name>testdependency3</name><version>1.0.2</version><description/><purl>pkg:npm/%40scope/testdependency3@1.0.2</purl></component></components></bom>`;
 
 describe('CycloneDXSbomCreator', async () => {
   it('should create an sbom string given a minimal valid object', async () => {

diff --git a/src/CycloneDX/CycloneDXSbomCreator.ts b/src/CycloneDX/CycloneDXSbomCreator.ts
@@ -28,6 +28,7 @@ import { Hash } from './Types/Hash';
 import spdxLicensesNonDeprecated = require('spdx-license-ids');
 import spdxLicensesDeprecated = require('spdx-license-ids/deprecated');
 import { toPurl } from './Helpers/Helpers';
+import { logMessage, DEBUG } from '../Application/Logger/Logger';
 
 export class CycloneDXSbomCreator {
   readonly licenseFilenames: Array<string> = [
@@ -214,19 +215,28 @@ export class CycloneDXSbomCreator {
    * Adds external references supported by the package format.
    */
   private addExternalReferences(pkg: any): Array<ExternalReference> {
-    const externalReferences = [];
+    const externalReferences: Array<ExternalReference> = [];
     if (pkg.homepage) {
-      externalReferences.push({ reference: { '@type': 'website', url: pkg.homepage } });
+      this.pushURLToExternalReferences('website', pkg.repository.url, externalReferences);
     }
     if (pkg.bugs && pkg.bugs.url) {
-      externalReferences.push({ reference: { '@type': 'issue-tracker', url: pkg.bugs.url } });
+      this.pushURLToExternalReferences('issue-tracker', pkg.bugs.url, externalReferences);
     }
     if (pkg.repository && pkg.repository.url) {
-      externalReferences.push({ reference: { '@type': 'vcs', url: pkg.repository.url } });
+      this.pushURLToExternalReferences('vcs', pkg.repository.url, externalReferences);
     }
     return externalReferences;
   }
 
+  private pushURLToExternalReferences(typeOfURL: string, url: string, externalReferences: Array<ExternalReference>) {
+    try {
+      const uri = new URL(url);
+      externalReferences.push({ reference: { '@type': typeOfURL, url: uri.toString() } });
+    } catch (e) {
+      logMessage('Encountered an invalid URL', DEBUG, { title: e.message, stack: e.stack });
+    }
+  }
+
   /**
    * Performs a lookup + validation of the license specified in the
    * package. If the license is a valid SPDX license ID, set the 'id'