CycloneDX BOM validation fails when URLs contain %-encoded '[' and ']' characters - Reopen

[CPlusPlus17]

Current Behavior

The fix #3831 is no longer in the 4.12.x branch.

Steps to Reproduce

See #3831

Expected Behavior

See #3831

Dependency-Track Version

4.12.2

Dependency-Track Distribution

Container Image

Database Server

Microsoft SQL Server

Database Server Version

N/A

Browser

Microsoft Edge

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

The fix is in the 4.12.x branch, and so is the test verifying it:

dependency-track/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java

Lines 227 to 248 in 5716b02

	@Test // https://github.com/DependencyTrack/dependency-track/issues/3831
	public void testValidateJsonWithUrlContainingEncodedBrackets() {
	assertThatNoException()
	.isThrownBy(() -> validator.validate("""
	{
	"bomFormat": "CycloneDX",
	"specVersion": "1.5",
	"components": [
	{
	"type": "library",
	"name": "acme-library",
	"externalReferences": [
	{
	"type": "website",
	"url": "https://example.com/foo?bar=%5Bbaz%5D"
	}
	]
	}
	]
	}
	""".getBytes()));
	}

What is the URL that fails validation for you, and what exactly does the validation error say?

[CPlusPlus17]

Sorry took my a time to catch the sbom out of the CI/CD pipeline.

merged_final.json

Cook receipt:

docker sbom --format cyclonedx-json --output ta_container.json
dotnet-CycloneDX -o ccdx -j -f ta.json
cyclonedx-linux-x64 merge --input-files ./ccdx/ta.json ta_container.json --output-file merged_final.json