Port: Fix BOM validation failing when URL contains encoded [ and ] characters

pom.xml

@@ -92,7 +92,7 @@
         <lib.cpe-parser.version>2.1.0</lib.cpe-parser.version>
         <lib.cvss-calculator.version>1.4.3</lib.cvss-calculator.version>
         <lib.owasp-rr-calculator.version>1.0.1</lib.owasp-rr-calculator.version>
-        <lib.cyclonedx-java.version>8.0.3</lib.cyclonedx-java.version>
+        <lib.cyclonedx-java.version>9.0.4</lib.cyclonedx-java.version>
         <lib.jackson.version>2.17.1</lib.jackson.version>
         <lib.jackson-databind.version>2.17.1</lib.jackson-databind.version>
         <lib.jaxb.runtime.version>2.3.6</lib.jaxb.runtime.version>
@@ -391,18 +391,6 @@
             <version>${lib.liquibase.version}</version>
         </dependency>
 
-        <!-- Xerces -->
-        <dependency>
-            <groupId>xerces</groupId>
-            <artifactId>xercesImpl</artifactId>
-            <version>2.12.2</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>xml-apis</groupId>
-                    <artifactId>xml-apis</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
         <!-- Commons Compress -->
         <dependency>
             <groupId>org.apache.commons</groupId>

src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXExporter.java

@@ -18,9 +18,9 @@
  */
 package org.dependencytrack.parser.cyclonedx;
 
-import org.cyclonedx.BomGeneratorFactory;
-import org.cyclonedx.CycloneDxSchema;
+import org.cyclonedx.Version;
 import org.cyclonedx.exception.GeneratorException;
+import org.cyclonedx.generators.BomGeneratorFactory;
 import org.cyclonedx.model.Bom;
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.Finding;
@@ -95,10 +95,12 @@ private Bom create(List<Component>components, final List<ServiceComponent> servi
     }
 
     public String export(final Bom bom, final Format format) throws GeneratorException {
+        // TODO: The output version should be user-controllable.
+
         if (Format.JSON == format) {
-            return BomGeneratorFactory.createJson(CycloneDxSchema.VERSION_LATEST, bom).toJsonString();
+            return BomGeneratorFactory.createJson(Version.VERSION_15, bom).toJsonString();
         } else {
-            return BomGeneratorFactory.createXml(CycloneDxSchema.VERSION_LATEST, bom).toXmlString();
+            return BomGeneratorFactory.createXml(Version.VERSION_15, bom).toXmlString();
         }
     }
 

src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java

@@ -23,7 +23,7 @@
 import com.fasterxml.jackson.core.JsonToken;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import org.codehaus.stax2.XMLInputFactory2;
-import org.cyclonedx.CycloneDxSchema;
+import org.cyclonedx.Version;
 import org.cyclonedx.exception.ParseException;
 import org.cyclonedx.parsers.JsonParser;
 import org.cyclonedx.parsers.Parser;
@@ -45,12 +45,14 @@
 import static org.cyclonedx.CycloneDxSchema.NS_BOM_13;
 import static org.cyclonedx.CycloneDxSchema.NS_BOM_14;
 import static org.cyclonedx.CycloneDxSchema.NS_BOM_15;
-import static org.cyclonedx.CycloneDxSchema.Version.VERSION_10;
-import static org.cyclonedx.CycloneDxSchema.Version.VERSION_11;
-import static org.cyclonedx.CycloneDxSchema.Version.VERSION_12;
-import static org.cyclonedx.CycloneDxSchema.Version.VERSION_13;
-import static org.cyclonedx.CycloneDxSchema.Version.VERSION_14;
-import static org.cyclonedx.CycloneDxSchema.Version.VERSION_15;
+import static org.cyclonedx.CycloneDxSchema.NS_BOM_16;
+import static org.cyclonedx.Version.VERSION_10;
+import static org.cyclonedx.Version.VERSION_11;
+import static org.cyclonedx.Version.VERSION_12;
+import static org.cyclonedx.Version.VERSION_13;
+import static org.cyclonedx.Version.VERSION_14;
+import static org.cyclonedx.Version.VERSION_15;
+import static org.cyclonedx.Version.VERSION_16;
 
 /**
  * @since 4.11.0
@@ -93,7 +95,7 @@ public void validate(final byte[] bomBytes) {
 
     private FormatAndVersion detectFormatAndSchemaVersion(final byte[] bomBytes) {
         try {
-            final CycloneDxSchema.Version version = detectSchemaVersionFromJson(bomBytes);
+            final Version version = detectSchemaVersionFromJson(bomBytes);
             return new FormatAndVersion(Format.JSON, version);
         } catch (JsonParseException e) {
             if (LOGGER.isDebugEnabled()) {
@@ -104,7 +106,7 @@ private FormatAndVersion detectFormatAndSchemaVersion(final byte[] bomBytes) {
         }
 
         try {
-            final CycloneDxSchema.Version version = detectSchemaVersionFromXml(bomBytes);
+            final Version version = detectSchemaVersionFromXml(bomBytes);
             return new FormatAndVersion(Format.XML, version);
         } catch (XMLStreamException e) {
             if (LOGGER.isDebugEnabled()) {
@@ -115,7 +117,7 @@ private FormatAndVersion detectFormatAndSchemaVersion(final byte[] bomBytes) {
         throw new InvalidBomException("BOM is neither valid JSON nor XML");
     }
 
-    private CycloneDxSchema.Version detectSchemaVersionFromJson(final byte[] bomBytes) throws IOException {
+    private Version detectSchemaVersionFromJson(final byte[] bomBytes) throws IOException {
         try (final com.fasterxml.jackson.core.JsonParser jsonParser = jsonMapper.createParser(bomBytes)) {
             JsonToken currentToken = jsonParser.nextToken();
             if (currentToken != JsonToken.START_OBJECT) {
@@ -125,7 +127,7 @@ private CycloneDxSchema.Version detectSchemaVersionFromJson(final byte[] bomByte
                         .formatted(JsonToken.START_OBJECT.asString(), currentTokenAsString));
             }
 
-            CycloneDxSchema.Version schemaVersion = null;
+            Version schemaVersion = null;
             while (jsonParser.nextToken() != null) {
                 final String fieldName = jsonParser.getCurrentName();
                 if ("specVersion".equals(fieldName)) {
@@ -138,6 +140,7 @@ private CycloneDxSchema.Version detectSchemaVersionFromJson(final byte[] bomByte
                             case "1.3" -> VERSION_13;
                             case "1.4" -> VERSION_14;
                             case "1.5" -> VERSION_15;
+                            case "1.6" -> VERSION_16;
                             default ->
                                     throw new InvalidBomException("Unrecognized specVersion %s".formatted(specVersion));
                         };
@@ -153,12 +156,12 @@ private CycloneDxSchema.Version detectSchemaVersionFromJson(final byte[] bomByte
         }
     }
 
-    private CycloneDxSchema.Version detectSchemaVersionFromXml(final byte[] bomBytes) throws XMLStreamException {
+    private Version detectSchemaVersionFromXml(final byte[] bomBytes) throws XMLStreamException {
         final XMLInputFactory xmlInputFactory = XMLInputFactory2.newFactory();
         final var bomBytesStream = new ByteArrayInputStream(bomBytes);
         final XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(bomBytesStream);
 
-        CycloneDxSchema.Version schemaVersion = null;
+        Version schemaVersion = null;
         while (xmlStreamReader.hasNext()) {
             if (xmlStreamReader.next() == XMLEvent.START_ELEMENT) {
                 if (!"bom".equalsIgnoreCase(xmlStreamReader.getLocalName())) {
@@ -177,6 +180,7 @@ private CycloneDxSchema.Version detectSchemaVersionFromXml(final byte[] bomBytes
                         case NS_BOM_13 -> VERSION_13;
                         case NS_BOM_14 -> VERSION_14;
                         case NS_BOM_15 -> VERSION_15;
+                        case NS_BOM_16 -> VERSION_16;
                         default -> null;
                     };
                 }
@@ -202,7 +206,7 @@ private enum Format {
         XML
     }
 
-    private record FormatAndVersion(Format format, CycloneDxSchema.Version version) {
+    private record FormatAndVersion(Format format, Version version) {
     }
 
 }

src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java

@@ -32,6 +32,7 @@
 import org.cyclonedx.model.Metadata;
 import org.cyclonedx.model.Swid;
 import org.cyclonedx.model.Tool;
+import org.cyclonedx.model.license.Expression;
 import org.dependencytrack.model.Analysis;
 import org.dependencytrack.model.AnalysisJustification;
 import org.dependencytrack.model.AnalysisResponse;
@@ -226,9 +227,9 @@ public static Component convertComponent(final org.cyclonedx.model.Component cdx
         }
 
         final var licenseCandidates = new ArrayList<org.cyclonedx.model.License>();
-        if (cdxComponent.getLicenseChoice() != null) {
-            if (cdxComponent.getLicenseChoice().getLicenses() != null) {
-                cdxComponent.getLicenseChoice().getLicenses().stream()
+        if (cdxComponent.getLicenses() != null) {
+            if (cdxComponent.getLicenses().getLicenses() != null) {
+                cdxComponent.getLicenses().getLicenses().stream()
                         .filter(license -> isNotBlank(license.getId()) || isNotBlank(license.getName()))
                         .peek(license -> {
                             // License text can be large, but we don't need it for further processing. Drop it.
@@ -237,12 +238,13 @@ public static Component convertComponent(final org.cyclonedx.model.Component cdx
                         .forEach(licenseCandidates::add);
             }
 
-            if (isNotBlank(cdxComponent.getLicenseChoice().getExpression())) {
+            final Expression licenseExpression = cdxComponent.getLicenses().getExpression();
+            if (licenseExpression != null && isNotBlank(licenseExpression.getValue())) {
                 // If the expression consists of just one license ID, add it as another option.
                 final var expressionParser = new SpdxExpressionParser();
-                final SpdxExpression expression = expressionParser.parse(cdxComponent.getLicenseChoice().getExpression());
+                final SpdxExpression expression = expressionParser.parse(licenseExpression.getValue());
                 if (!SpdxExpression.INVALID.equals(expression)) {
-                    component.setLicenseExpression(trim(cdxComponent.getLicenseChoice().getExpression()));
+                    component.setLicenseExpression(trim(licenseExpression.getValue()));
 
                     if (expression.getSpdxLicenseId() != null) {
                         final var expressionLicense = new org.cyclonedx.model.License();
@@ -254,7 +256,7 @@ public static Component convertComponent(final org.cyclonedx.model.Component cdx
                     LOGGER.warn("""
                             Encountered invalid license expression "%s" for \
                             Component{group=%s, name=%s, version=%s, bomRef=%s}; Skipping\
-                            """.formatted(cdxComponent.getLicenseChoice().getExpression(), component.getGroup(),
+                            """.formatted(cdxComponent.getLicenses().getExpression(), component.getGroup(),
                             component.getName(), component.getVersion(), component.getBomRef()));
                 }
             }
@@ -626,28 +628,30 @@ public static org.cyclonedx.model.Component convert(final QueryManager qm, final
             cycloneComponent.addHash(new Hash(Hash.Algorithm.SHA3_512, component.getSha3_512()));
         }
 
-        final LicenseChoice licenseChoice = new LicenseChoice();
+        final LicenseChoice licenses = new LicenseChoice();
         if (component.getResolvedLicense() != null) {
             final org.cyclonedx.model.License license = new org.cyclonedx.model.License();
             license.setId(component.getResolvedLicense().getLicenseId());
             license.setUrl(component.getLicenseUrl());
-            licenseChoice.addLicense(license);
-            cycloneComponent.setLicenseChoice(licenseChoice);
+            licenses.addLicense(license);
+            cycloneComponent.setLicenses(licenses);
         } else if (component.getLicense() != null) {
             final org.cyclonedx.model.License license = new org.cyclonedx.model.License();
             license.setName(component.getLicense());
             license.setUrl(component.getLicenseUrl());
-            licenseChoice.addLicense(license);
-            cycloneComponent.setLicenseChoice(licenseChoice);
+            licenses.addLicense(license);
+            cycloneComponent.setLicenses(licenses);
         } else if (StringUtils.isNotEmpty(component.getLicenseUrl())) {
             final org.cyclonedx.model.License license = new org.cyclonedx.model.License();
             license.setUrl(component.getLicenseUrl());
-            licenseChoice.addLicense(license);
-            cycloneComponent.setLicenseChoice(licenseChoice);
+            licenses.addLicense(license);
+            cycloneComponent.setLicenses(licenses);
         }
         if (component.getLicenseExpression() != null) {
-            licenseChoice.setExpression(component.getLicenseExpression());
-            cycloneComponent.setLicenseChoice(licenseChoice);
+            final var licenseExpression = new Expression();
+            licenseExpression.setValue(component.getLicenseExpression());
+            licenses.setExpression(licenseExpression);
+            cycloneComponent.setLicenses(licenses);
         }
 
         if (component.getExternalReferences() != null && !component.getExternalReferences().isEmpty()) {

src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java

@@ -29,8 +29,8 @@
 import org.apache.commons.collections4.MultiValuedMap;
 import org.apache.commons.collections4.multimap.HashSetValuedHashMap;
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.cyclonedx.BomParserFactory;
 import org.cyclonedx.exception.ParseException;
+import org.cyclonedx.parsers.BomParserFactory;
 import org.cyclonedx.parsers.Parser;
 import org.datanucleus.flush.FlushMode;
 import org.datanucleus.store.query.QueryNotUniqueException;

src/main/java/org/dependencytrack/tasks/VexUploadProcessingTask.java

@@ -23,7 +23,7 @@
 import alpine.event.framework.Subscriber;
 import alpine.notification.Notification;
 import alpine.notification.NotificationLevel;
-import org.cyclonedx.BomParserFactory;
+import org.cyclonedx.parsers.BomParserFactory;
 import org.cyclonedx.parsers.Parser;
 import org.dependencytrack.event.VexUploadEvent;
 import org.dependencytrack.event.kafka.KafkaEventDispatcher;

src/main/java/org/dependencytrack/util/VulnerabilityPolicyUtil.java

@@ -64,7 +64,7 @@ public class VulnerabilityPolicyUtil {
     static {
         try {
             schema = JsonSchemaFactory.builder(JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V202012))
-                    .objectMapper(MAPPER).build()
+                    .jsonMapper(MAPPER).build()
                     .getSchema(resourceToString("/schema/vulnerability-policy-v1.schema.json", StandardCharsets.UTF_8));
         } catch (IOException e) {
             LOGGER.error("Exception occurred while creating schema for YAML validation", e);

src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporterTest.java

@@ -19,7 +19,7 @@
 package org.dependencytrack.parser.cyclonedx;
 
 import org.assertj.core.api.Assertions;
-import org.cyclonedx.BomParserFactory;
+import org.cyclonedx.parsers.BomParserFactory;
 import org.dependencytrack.PersistenceCapableTest;
 import org.dependencytrack.model.Analysis;
 import org.dependencytrack.model.AnalysisJustification;

src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java

@@ -18,12 +18,26 @@
  */
 package org.dependencytrack.parser.cyclonedx;
 
+import junitparams.JUnitParamsRunner;
+import junitparams.Parameters;
 import org.junit.Before;
 import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.nio.file.FileSystems;
+import java.nio.file.FileVisitResult;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.PathMatcher;
+import java.nio.file.Paths;
+import java.nio.file.SimpleFileVisitor;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.util.ArrayList;
 
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatNoException;
 
+@RunWith(JUnitParamsRunner.class)
 public class CycloneDxValidatorTest {
 
     private CycloneDxValidator validator;
@@ -176,4 +190,55 @@ public void testValidateJsonWithSpecVersionAtTheBottom() {
                         """.getBytes()));
     }
 
+    @SuppressWarnings("unused")
+    private Object[] testValidateWithValidBomParameters() throws Exception {
+        final PathMatcher pathMatcherJson = FileSystems.getDefault().getPathMatcher("glob:**/valid-bom-*.json");
+        final PathMatcher pathMatcherXml = FileSystems.getDefault().getPathMatcher("glob:**/valid-bom-*.xml");
+        final var bomFilePaths = new ArrayList<Path>();
+
+        Files.walkFileTree(Paths.get("./src/test/resources/unit/cyclonedx"), new SimpleFileVisitor<>() {
+            @Override
+            public FileVisitResult visitFile(final Path file, final BasicFileAttributes attrs) {
+                if (pathMatcherJson.matches(file) || pathMatcherXml.matches(file)) {
+                    bomFilePaths.add(file);
+                }
+
+                return FileVisitResult.CONTINUE;
+            }
+        });
+
+        return bomFilePaths.stream().sorted().toArray();
+    }
+
+    @Test
+    @Parameters(method = "testValidateWithValidBomParameters")
+    public void testValidateWithValidBom(final Path bomFilePath) throws Exception {
+        final byte[] bomBytes = Files.readAllBytes(bomFilePath);
+
+        assertThatNoException().isThrownBy(() -> validator.validate(bomBytes));
+    }
+
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/3831
+    public void testValidateJsonWithUrlContainingEncodedBrackets() {
+        assertThatNoException()
+                .isThrownBy(() -> validator.validate("""
+                        {
+                          "bomFormat": "CycloneDX",
+                          "specVersion": "1.5",
+                          "components": [
+                            {
+                              "type": "library",
+                              "name": "acme-library",
+                              "externalReferences": [
+                                {
+                                  "type": "website",
+                                  "url": "https://example.com/foo?bar=%5Bbaz%5D"
+                                }
+                              ]
+                            }
+                          ]
+                        }
+                        """.getBytes()));
+    }
+
 }