Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ExternalReference.url XML validation error xs:anyURI #158

Closed
uselab opened this issue Dec 2, 2021 · 6 comments · Fixed by #159
Closed

ExternalReference.url XML validation error xs:anyURI #158

uselab opened this issue Dec 2, 2021 · 6 comments · Fixed by #159
Assignees
@jkowalleck
Labels
bug Something isn't working

Comments

@uselab
Copy link

uselab commented Dec 2, 2021
edited by jkowalleck
Loading

  • the version you are using
    cyclonedx/cyclonedx-php-composer V3.9.0

  • your operating system and version
    WSL2.0 Ubuntu 20.04 on Windows 10

  • reproducible steps (1 2 3...) that cause the issue including any required files
    Execute "php composer.phar make-bom --exclude-dev --output-file=composer-bom.xml ./composer.json"

  • what you expected, versus what happened
    The system generates an composer-bom.xml file, but instead the system gives an error. See error and reason below

  • any relevant screenshots and other outputs
    Output:

Validate BOM with CycloneDX\Core\Validation\Validators\XmlValidator for 1.3
ValidationError:
ValidationError: Element '{http://cyclonedx.org/schema/bom/1.3}url': '**http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception**' is not a valid value of the atomic type 'xs:anyURI'.

the drush/drush requirements tree has pear/pear_exception as an requirement.
Inside the composer.json of this module there is an URL with [] (See support->issues in the content below)

the systems fails validating the output with the following message:

Validate BOM with CycloneDX\Core\Validation\Validators\XmlValidator for 1.3
ValidationError:
ValidationError: Element '{http://cyclonedx.org/schema/bom/1.3}url': 'http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception' is not a valid value of the atomic type 'xs:anyURI'.

Generating the same file with --no-validate generates the file correctly, which we merge with our NPM bom file and upload to dTrack

{
            "name": "pear/pear_exception",
            "version": "v1.0.1",
            "source": {
                "type": "git",
                "url": "https://github.com/pear/PEAR_Exception.git",
                "reference": "dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/pear/PEAR_Exception/zipball/dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7",
                "reference": "dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7",
                "shasum": ""
            },
            "require": {
                "php": ">=4.4.0"
            },
            "require-dev": {
                "phpunit/phpunit": "*"
            },
            "type": "class",
            "extra": {
                "branch-alias": {
                    "dev-master": "1.0.x-dev"
                }
            },
            "autoload": {
                "classmap": [
                    "PEAR/"
                ]
            },
            "notification-url": "https://packagist.org/downloads/",
            "include-path": [
                "."
            ],
            "license": [
                "BSD-2-Clause"
            ],
            "authors": [
                {
                    "name": "Helgi Thormar",
                    "email": "dufuz@php.net"
                },
                {
                    "name": "Greg Beaver",
                    "email": "cellog@php.net"
                }
            ],
            "description": "The PEAR Exception base class.",
            "homepage": "https://github.com/pear/PEAR_Exception",
            "keywords": [
                "exception"
            ],
            "support": {
                "issues": "**http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception**",
                "source": "https://github.com/pear/PEAR_Exception"
            },
            "time": "2019-12-10T10:24:42+00:00"
        }
@jkowalleck
Copy link
Member

jkowalleck commented Dec 2, 2021
edited
Loading

Thank you for the error report, @uselab .
Could you drop in the composer.lock you used?

If this bug affects your workflow, you might downgrade cyclonedx-php-composer 3.8 until a fix is ready.
Alternatively you could have cyclonedx-php-composer output as JSON - which might not have these strict validation rules.
Sorry for the inconvenience

@jkowalleck jkowalleck added the bug Something isn't working label Dec 2, 2021
@jkowalleck
Copy link
Member

jkowalleck commented Dec 2, 2021
edited
Loading

issue probably is caused by malformed input in the original composer.json or composer.lock file
caused by "PEAR_Exception" -> https://github.com/pear/PEAR_Exception/blob/master/composer.json

affected versions of cyclonedx-php-composer : 3.9
since the ExternalReferences are read from composer packages and put into XML - JSON not affected

how to reproduce:

  • have malformed URI used as a ExtRef
  • unittests possible: yes
  • demo / integration tests possible: yes

issue was forwarded to core lib: CycloneDX/cyclonedx-php-library#35

@jkowalleck jkowalleck pinned this issue Dec 2, 2021
@jkowalleck jkowalleck changed the title Atomic type xs:anyURI not accepting url with [] ExternalReference.url XML validation error xs:anyURI Dec 2, 2021
@jkowalleck jkowalleck self-assigned this Dec 2, 2021
jkowalleck added a commit to CycloneDX/cyclonedx-php-library that referenced this issue Dec 2, 2021
@jkowalleck
reproduced CycloneDX/cyclonedx-php-composer#158
9180c02
This was referenced Dec 2, 2021
Merged
Closed
@uselab
Copy link
Author

uselab commented Dec 2, 2021

Hi @jkowalleck,

Sorry about the late reply, I added the lock file inside the zip.
Not sure if you still need it seeing you already found the same issue it seems
composer.zip

We have a temporary work around by adding --no-validate, seeing the file is accepted by the rest of our pipeline.
Once a fix is in place and released we will update and remove the --no-validate

@jkowalleck
Copy link
Member

tried to fix the root cause in upstream via pear/PEAR_Exception#12

jkowalleck added a commit that referenced this issue Dec 3, 2021
@jkowalleck
fix issue #158
6301bc7 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck mentioned this issue Dec 3, 2021
Merged
jkowalleck added a commit that referenced this issue Dec 3, 2021
@jkowalleck
Merge pull request #159 from CycloneDX/issue_158
d6bfc44 
fix issue #158
jkowalleck added a commit that referenced this issue Dec 3, 2021
@jkowalleck
3.9.1
259c2f7 
* Fixed
  * XML validation error for ExternalReference. ([#158] via [#159])
* Changed
  * The `ValidationError` message requests reporting with the "ValidationError" issue template. (via [#160])
    No template was used in the past.

[#158]: #158
[#159]: #159
[#160]: #160
@jkowalleck
Copy link
Member

Thank you very much for reporting the issue, @uselab

The issue was reproduced and got fixed in v3.9.1 - which was released just a minute ago.

Could you update and see if a valid XML could be generated?

@jkowalleck jkowalleck unpinned this issue Dec 6, 2021
@uselab
Copy link
Author

uselab commented Dec 7, 2021

Hi @jkowalleck ,

tested and works like a charm now!

@jkowalleck jkowalleck mentioned this issue Dec 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix issue #158 CycloneDX/cyclonedx-php-composer
1 participant
@jkowalleck