Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/utils/sbom-cyclonedx.js
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ const toCyclonedxItem = (node, { packageType }) => {
// Calculate purl from package spec
let spec = npa(node.pkgid)
spec = (spec.type === 'alias') ? spec.subSpec : spec
const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${node.resolved}` : '')
const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${encodeURIComponent(node.resolved)}` : '')

if (node.package) {
const toNormalize = new PackageJson()
Expand Down
2 changes: 1 addition & 1 deletion lib/utils/sbom-spdx.js
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ const toSpdxItem = (node, { packageType }) => {
// Calculate purl from package spec
let spec = npa(node.pkgid)
spec = (spec.type === 'alias') ? spec.subSpec : spec
const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${node.resolved}` : '')
const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${encodeURIComponent(node.resolved)}` : '')

/* For workspace nodes, use the location from their linkNode */
let location = node.location
Expand Down
2 changes: 1 addition & 1 deletion tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs
Original file line number Diff line number Diff line change
Expand Up @@ -417,7 +417,7 @@ exports[`test/lib/utils/sbom-cyclonedx.js TAP single node - from git url > must
"version": "1.0.0",
"scope": "required",
"author": "Author",
"purl": "pkg:npm/root@1.0.0?vcs_url=https://github.com/foo/bar#1234",
"purl": "pkg:npm/root@1.0.0?vcs_url=https%3A%2F%2Fgithub.com%2Ffoo%2Fbar%231234",
"properties": [],
"externalReferences": [
{
Expand Down
2 changes: 1 addition & 1 deletion tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs
Original file line number Diff line number Diff line change
Expand Up @@ -414,7 +414,7 @@ exports[`test/lib/utils/sbom-spdx.js TAP single node - from git url > must match
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/root@1.0.0?vcs_url=https://github.com/foo/bar#1234"
"referenceLocator": "pkg:npm/root@1.0.0?vcs_url=https%3A%2F%2Fgithub.com%2Ffoo%2Fbar%231234"
}
]
}
Expand Down
11 changes: 11 additions & 0 deletions test/lib/utils/sbom-cyclonedx.js
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,17 @@ t.test('single node - from git url', t => {
t.end()
})

t.test('git url with special chars is encoded into the vcs_url qualifier', t => {
const node = { ...root, type: 'git', resolved: 'https://github.com/foo/bar.git?a=b&c=d#1234' }
const res = cyclonedxOutput({ npm, nodes: [node] })
const { purl } = res.metadata.component
// everything after vcs_url= must be a single percent-encoded value, so the
// committish/query can't leak out as an extra purl qualifier or subpath
t.equal(purl, 'pkg:npm/root@1.0.0?vcs_url=https%3A%2F%2Fgithub.com%2Ffoo%2Fbar.git%3Fa%3Db%26c%3Dd%231234')
t.notMatch(purl.split('vcs_url=')[1], /[#&]/)
t.end()
})

t.test('single node - no package info', t => {
const node = { ...root, package: undefined }
const res = cyclonedxOutput({ npm, nodes: [node] })
Expand Down
11 changes: 11 additions & 0 deletions test/lib/utils/sbom-spdx.js
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,17 @@ t.test('single node - from git url', t => {
t.end()
})

t.test('git url with special chars is encoded into the vcs_url qualifier', t => {
const node = { ...root, type: 'git', resolved: 'https://github.com/foo/bar.git?a=b&c=d#1234' }
const res = spdxOutput({ npm, nodes: [node] })
const purl = res.packages
.find(p => p.SPDXID === 'SPDXRef-Package-root-1.0.0')
.externalRefs.find(r => r.referenceType === 'purl').referenceLocator
t.equal(purl, 'pkg:npm/root@1.0.0?vcs_url=https%3A%2F%2Fgithub.com%2Ffoo%2Fbar.git%3Fa%3Db%26c%3Dd%231234')
t.notMatch(purl.split('vcs_url=')[1], /[#&]/)
t.end()
})

t.test('single node - linked', t => {
const node = { ...root, isLink: true, target: { edgesOut: [] } }
const res = spdxOutput({ npm, nodes: [node] })
Expand Down
Loading