Add IRI Validation for externalReference URL (#1140)

* Adding IRI validation/filtering

Signed-off-by: Tim Messing <[email protected]>

* Run linting

Signed-off-by: Tim Messing <[email protected]>

* Add debug logging for failed IRI that fail validation

Signed-off-by: Tim Messing <[email protected]>

---------

Signed-off-by: Tim Messing <[email protected]>

Author: timmyteo

index.js

@@ -66,6 +66,7 @@ import {
   getSwiftPackageMetadata,
   getTimestamp,
   includeMavenTestScope,
+  isValidIriReference,
   parseBazelActionGraph,
   parseBazelSkyframe,
   parseBdistMetadata,
@@ -726,7 +727,9 @@ function addExternalReferences(opkg) {
       }
     }
   }
-  return externalReferences;
+  return externalReferences
+    .map((reference) => ({ ...reference, url: reference.url.trim() }))
+    .filter((reference) => isValidIriReference(reference.url));
 }
 
 /**

package.json

@@ -91,7 +91,8 @@
     "tar": "^6.2.1",
     "uuid": "^9.0.1",
     "xml-js": "^1.6.11",
-    "yargs": "^17.7.2"
+    "yargs": "^17.7.2",
+    "validate-iri": "^1.0.1"
   },
   "optionalDependencies": {
     "@appthreat/atom": "2.0.12",

pnpm-lock.yaml

@@ -1119,6 +1119,18 @@ export function addEvidenceForDotnet(pkgList: any, slicesFile: any): any;
  * @returns {Object} pkgFilesMap Object with package name and list of files
  */
 export function parseMakeDFile(dfile: string): any;
+/**
+ * Function to validate an externalReference URL for conforming to the JSON schema or bomLink
+ * https://github.com/CycloneDX/cyclonedx-core-java/blob/75575318b268dda9e2a290761d7db11b4f414255/src/main/resources/bom-1.5.schema.json#L1140
+ * https://datatracker.ietf.org/doc/html/rfc3987#section-2.2
+ * https://cyclonedx.org/capabilities/bomlink/
+ *
+ * @param {String} iri IRI to validate
+ *
+ * @returns {Boolean} Flag indicating whether the supplied URL is valid or not
+ *
+ */
+export function isValidIriReference(iri: string): boolean;
 export const dirNameStr: string;
 export const isWin: boolean;
 export const isMac: boolean;

types/index.d.ts.map

@@ -46,6 +46,7 @@ import {
   satisfies,
   valid,
 } from "semver";
+import { IriValidationStrategy, validateIri } from "validate-iri";
 import { xml2js } from "xml-js";
 import { getTreeWithPlugin } from "./piptree.js";
 
@@ -10593,3 +10594,27 @@ export function parseMakeDFile(dfile) {
   pkgFilesMap[pkgName] = Array.from(filesList);
   return pkgFilesMap;
 }
+
+/**
+ * Function to validate an externalReference URL for conforming to the JSON schema or bomLink
+ * https://github.com/CycloneDX/cyclonedx-core-java/blob/75575318b268dda9e2a290761d7db11b4f414255/src/main/resources/bom-1.5.schema.json#L1140
+ * https://datatracker.ietf.org/doc/html/rfc3987#section-2.2
+ * https://cyclonedx.org/capabilities/bomlink/
+ *
+ * @param {String} iri IRI to validate
+ *
+ * @returns {Boolean} Flag indicating whether the supplied URL is valid or not
+ *
+ */
+export function isValidIriReference(iri) {
+  const result = validateIri(iri, IriValidationStrategy.Strict);
+
+  if (result instanceof Error) {
+    if (DEBUG_MODE) {
+      console.log(`IRI failed validation ${iri}`);
+    }
+    return false;
+  }
+
+  return true;
+}

types/utils.d.ts

@@ -13,6 +13,7 @@ import {
   getNugetMetadata,
   getPyMetadata,
   guessPypiMatchingVersion,
+  isValidIriReference,
   parseBazelActionGraph,
   parseBazelBuild,
   parseBazelSkyframe,
@@ -2658,8 +2659,8 @@ test("parsePnpmLock", async () => {
     },
   });
   parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-  expect(parsedList.pkgList.length).toEqual(643);
-  expect(parsedList.dependenciesList.length).toEqual(643);
+  expect(parsedList.pkgList.length).toEqual(644);
+  expect(parsedList.dependenciesList.length).toEqual(644);
   expect(parsedList.pkgList[0]).toEqual({
     group: "@ampproject",
     name: "remapping",
@@ -4066,3 +4067,20 @@ test("parseMakeDFile tests", () => {
     ],
   });
 });
+
+test.each([
+  ["", false],
+  ["[email protected]:behat-chrome/chrome-mink-driver.git", false],
+  ["     [email protected]:behat-chrome/chrome-mink-driver.git      ", false],
+  ["${repository.url}", false],
+  // bomLink - https://cyclonedx.org/capabilities/bomlink/]
+  ["urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1#componentA", true],
+  // http uri - https://www.ietf.org/rfc/rfc7230.txt]
+  ["https://gitlab.com/behat-chrome/chrome-mink-driver.git", true],
+  ["     https://gitlab.com/behat-chrome/chrome-mink-driver.git     ", false],
+  ["http://gitlab.com/behat-chrome/chrome-mink-driver.git", true],
+  ["git+https://github.com/Alex-D/check-disk-space.git", true],
+  ["UNKNOWN", false],
+])("isValidIriReference tests: %s", (url, isValid) => {
+  expect(isValidIriReference(url)).toBe(isValid);
+});