CycloneDX
How to deal with externalReferences which aren't URI's (e.g. git@ refs)
Problem
The externalReference in model is limited to URI's but according to the Maven POM schema the SCM url is a simple string!
As a user of the org.cyclonedx.bom gradle plugin we loose the VCS information which is included in the component POM file.
Popular examples are the following components:
- https://repo1.maven.org/maven2/com/zaxxer/HikariCP/4.0.2/HikariCP-4.0.2.pom
- https://repo1.maven.org/maven2/com/zaxxer/SparseBitSet/1.2/SparseBitSet-1.2.pom
Could the schema be adapted or does it make sense to adapt the plugin to skip the BOM serialization according to the schema? The information is necessary to retrieve the sources for further processing.
Thanks a lot for your efforts!
The XML and JSON schema support URIs, of which URL is a type of URI. The schema cannot be changed as it would be a breaking change that would cause more issues than it solves.
For Maven, what is typically done is to take the URLs from the various places in the pom and test them to ensure they are valid URIs. If they are, they will be included in the CycloneDX BOM. If they're invalid, they will be skipped. You may want to open an issue on the Maven plugin repo if there's an issue with this logic.
Example:
[email protected]:aws/aws-sdk-js-crypto-helpers.git shall be normalized to
git+https://github.com/aws/aws-sdk-js-crypto-helpers.git
normalizing this is in the scope of the sbom-generator in use. not in scope of CDX document standard.
similar to https://github.com/CycloneDX/cyclonedx-node-module/issues/352
