Merge pull request #755 from DependencyTrack/port-pr-3866

Port: Fix BOM validation failing when URL contains encoded `[` and `]` characters
DependencyTrack · Jun 25, 2024 · db16305 · db16305
2 parents 3e06bdb + 3e4ebeb
commit db16305
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 13 deletions.
diff --git a/pom.xml b/pom.xml
@@ -92,7 +92,7 @@
         <lib.cpe-parser.version>2.1.0</lib.cpe-parser.version>
         <lib.cvss-calculator.version>1.4.3</lib.cvss-calculator.version>
         <lib.owasp-rr-calculator.version>1.0.1</lib.owasp-rr-calculator.version>
-        <lib.cyclonedx-java.version>9.0.3</lib.cyclonedx-java.version>
+        <lib.cyclonedx-java.version>9.0.4</lib.cyclonedx-java.version>
         <lib.jackson.version>2.17.1</lib.jackson.version>
         <lib.jackson-databind.version>2.17.1</lib.jackson-databind.version>
         <lib.jaxb.runtime.version>2.3.6</lib.jaxb.runtime.version>
@@ -391,18 +391,6 @@
             <version>${lib.liquibase.version}</version>
         </dependency>
 
-        <!-- Xerces -->
-        <dependency>
-            <groupId>xerces</groupId>
-            <artifactId>xercesImpl</artifactId>
-            <version>2.12.2</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>xml-apis</groupId>
-                    <artifactId>xml-apis</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
         <!-- Commons Compress -->
         <dependency>
             <groupId>org.apache.commons</groupId>

diff --git a/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java b/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
@@ -218,4 +218,27 @@ public void testValidateWithValidBom(final Path bomFilePath) throws Exception {
         assertThatNoException().isThrownBy(() -> validator.validate(bomBytes));
     }
 
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/3831
+    public void testValidateJsonWithUrlContainingEncodedBrackets() {
+        assertThatNoException()
+                .isThrownBy(() -> validator.validate("""
+                        {
+                          "bomFormat": "CycloneDX",
+                          "specVersion": "1.5",
+                          "components": [
+                            {
+                              "type": "library",
+                              "name": "acme-library",
+                              "externalReferences": [
+                                {
+                                  "type": "website",
+                                  "url": "https://example.com/foo?bar=%5Bbaz%5D"
+                                }
+                              ]
+                            }
+                          ]
+                        }
+                        """.getBytes()));
+    }
+
 }