CycloneDX conversion fails

[svniedner]

I get the following error message on a CycloneDx file (attached, has been renamed to .txt to make attachement possible):

docker run -v ./sboms:/cdx2spdx/sboms -it --rm cdx2spdx
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
Error converinging a CycloneDX component to element: Invalid download location sindresorhus/quick-lru. Must match the pattern ^(NONE|NOASSERTION|(((git|hg|svn|bzr)+)?(http://www.|https://www.|http://|https://|ssh://|git://|svn://|sftp://|ftp://)?[a-z0-9]+([-.]{1}[a-z0-9]+){0,100}.[a-z]{2,5}(:[0-9]{1,5})?(/.*)?)|(git+git@[a-zA-Z0-9.-]+:[a-zA-Z0-9/\.@-]+)|(bzr+lp:[a-zA-Z0-9.-]+))$

If I can do more to help sort this out, please let me know, I am unfortunately not a Java coder.
rocket-chat.json.txt

[goneall]

In looking at the error message and the JSON file, there is a bom-ref pkg:npm/%40alloc/quick-lru@5.2.0?package-id=b305d29f2afda9d2 with an externalReferences url value of sindresorhus/quick-lru.

The SPDX validator validates any URL reference to match a specific string pattern.

I'm not sure if this is an invalid value for CycloneDX or not.

If it is invalid, the input file should be fixed.

If it is valid, then we would need to convert the string to a format that SPDX understands.