Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fixup scp-style git sites

From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Thomas Perale <thomas.perale@mind.be>
Subject: Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fixup scp-style git sites
Date: Sun, 21 Jun 2026 12:36:49 +0200	[thread overview]
Message-ID: <87eci0b2ny.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20260619090027.3145553-1-peter@korsgaard.com> (Peter Korsgaard's message of "Fri, 19 Jun 2026 11:00:26 +0200")

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Commit e8c54ffb3d ("utils/generate-cyclonedx: generate vcs
 > externalReferences for source repos") added externalReferences to the source
 > code of packages.

 > This unfortunately causes issues with packages (in br2-external) fetching
 > from git using the scp-like syntax, E.G.:

 >  FOO_SITE_METHOD = git
 >  FOO_SITE = git@github.com:<project>/<repo>.git

 > Which ends up in the SBOM as:

 > [
 >   {
 >     "type": "vcs",
 >     "url": "git@github.com:<project>/<repo>.git",
 >     "comment": "git repository"
 >   }
 > ]

 > This (correctly) causes Dependency track to reject the SBOM import with:

 > {
 >   "status": 400,
 >   "title": "The uploaded BOM is invalid",
 >   "detail": "Schema validation failed",
 >   "errors": [
 >     "$.components[2].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
 >     "$.components[2].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
 >     "$.components[2].externalReferences[0].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$",
 >    ]
 > }

 > The CycloneDX spec indeed requires a URI:

 > The URI (URL or URN) to the external reference.  External references are
 > URIs and therefore can accept any URL scheme including https (RFC-7230),
 > mailto (RFC-2368), tel (RFC-3966), and dns (RFC-4501)

 > https://cyclonedx.org/docs/1.6/json/#metadata_tools_oneOf_i0_components_items_externalReferences_items_url

 > The user@host:project/repo.git is a git-specific shorthand for a git-over-ssh URL. From man git-clone:

 >  Git supports ssh, git, http, and https protocols (in addition, ftp and ftps
 >  can be used for fetching, but this is inefficient and deprecated; do not use
 >  them).

 >  The native transport (i.e.  git:// URL) does no authentication and should
 >  be used with caution on unsecured networks.

 >  The following syntaxes may be used with them:

 >  •   ssh://[user@]host.xz[:port]/path/to/repo.git/
 >  •   git://host.xz[:port]/path/to/repo.git/
 >  •   http[s]://host.xz[:port]/path/to/repo.git/
 >  •   ftp[s]://host.xz[:port]/path/to/repo.git/

 >  An alternative scp-like syntax may also be used with the ssh protocol:

 >  •   [user@]host.xz:path/to/repo.git/

 > So convert the scp-like syntax to ssh:// URLs in parse_uris() for spec
 > compliance.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot