Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove purl decoding #590

Merged
merged 2 commits into from
Sep 29, 2023
Merged

fix: remove purl decoding #590

merged 2 commits into from
Sep 29, 2023

Conversation

misl-smlz
Copy link
Contributor

this breaks PackageURL.fromString from packageurl-js when the version contains e.g. a +

fixes #589

@prabhu
Copy link
Collaborator

prabhu commented Sep 28, 2023

@heubeck, what do you think about this PR? Could you kindly check your workflow?

@prabhu
Copy link
Collaborator

prabhu commented Sep 28, 2023

@misl-smlz, could you kindly sign your commit by following the below instructions?

https://github.com/CycloneDX/cdxgen/pull/590/checks?check_run_id=17208798805

@prabhu prabhu requested a review from cerrussell September 28, 2023 08:18
@misl-smlz
fix: remove purl decoding
8057804 
this breaks PackageURL.fromString from packageurl-js when the version contains e.g. a +

Signed-off-by: Michael Seele <michael.seele@schmalz.de>
@heubeck
Copy link
Contributor

heubeck commented Sep 28, 2023
edited
Loading

@heubeck, what do you think about this PR? Could you kindly check your workflow?

one process in our app is feeding the cdxgen-erated sbom into grype which has a lot false-positives for npm packages, which I believe comes from the %... notations in the purl.
so in fact, I believe this change may solve the issue.

My automated tests are fine, I'll manually do some testing around that grype issue and come back

@prabhu
Copy link
Collaborator

prabhu commented Sep 28, 2023

@heubeck, what do you think about this PR? Could you kindly check your workflow?

one process in our app is feeding the cdxgen-erated sbom into grype which has a lot false-positives for npm packages, which I believe comes from the %... notations in the purl. so in fact, I believe this change may solve the issue.

My workflow is checking our tests, I'll manually do some testing around that grype issue and come back

% is the encoded form which is the correct way to represent "@" character in purl. This PR removes double-decoding which is the opposite issue. Still will be an interesting test.

@heubeck
Copy link
Contributor

heubeck commented Sep 28, 2023
edited
Loading

% is the encoded form which is the correct way to represent "@" character in purl. This PR removes double-decoding which is the opposite issue. Still will be an interesting test.

yeah, first look was too quick ;)
maybe it's also time to annoy grype with the issue

@prabhu
Copy link
Collaborator

prabhu commented Sep 28, 2023

% is the encoded form which is the correct way to represent "@" character in purl. This PR removes double-decoding which is the opposite issue. Still will be an interesting test.

yeah, first look was too quick ;) maybe it's also time to annoy grype with the issue

Please also try depscan btw in case you haven't for the false positives issue.

@heubeck
Copy link
Contributor

heubeck commented Sep 28, 2023

Ok, grype behaves the same with sboms generated from cdxgen origin or this change.
so fine for me.

Please also try depscan btw in case you haven't for the false positives issue.

I'll do, thx.

@prabhu
Copy link
Collaborator

prabhu commented Sep 28, 2023

@misl-smlz, if you run the npm test locally, you can find the two places where the count needs to be bumped up.

@misl-smlz
Copy link
Contributor Author

misl-smlz commented Sep 28, 2023
edited
Loading

@prabhu I'll run the repotests.yml in my own repo to make sure everything works as expected. Once that's done, I'll come back and you can start the pipelines here again.

@misl-smlz
chore: add a few rust repotests
0e67ae3 
Signed-off-by: Michael Seele <michael.seele@schmalz.de>
@misl-smlz
Copy link
Contributor Author

@prabhu I've finished adding rust repos to the test pipeline. Looks good so far.

@prabhu
Copy link
Collaborator

prabhu commented Sep 28, 2023

@misl-smlz, I will do more testing and merge it tonight or tomorrow. Thank you so much for your help!

@prabhu prabhu merged commit 5403a46 into CycloneDX:master Sep 29, 2023
setchy pushed a commit to setchy/cdxgen that referenced this pull request Oct 3, 2023
@misl-smlz @setchy
fix: remove purl decoding (CycloneDX#590)
2c9a23f 
* fix: remove purl decoding

this breaks PackageURL.fromString from packageurl-js when the version contains e.g. a +

Signed-off-by: Michael Seele <michael.seele@schmalz.de>

* chore: add a few rust repotests

Signed-off-by: Michael Seele <michael.seele@schmalz.de>

---------

Signed-off-by: Michael Seele <michael.seele@schmalz.de>
Signed-off-by: Adam Setch <adam.setch@outlook.com>
@prabhu
Copy link
Collaborator

prabhu commented Oct 6, 2023

It appears there is a scenario with node.js that required this decode workaround. I will try to fix the node bug properly instead of reverting this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cerrussell cerrussell Awaiting requested review from cerrussell

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cargo (rust) purl's are not encoded correctly
3 participants
@misl-smlz @prabhu @heubeck