Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] utils/generate-cyclonedx: fixup scp-style git sites
@ 2026-06-19  9:00 Peter Korsgaard
  2026-06-20  9:39 ` Thomas Perale via buildroot
  2026-06-21 10:36 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2026-06-19  9:00 UTC (permalink / raw)
  To: buildroot; +Cc: Thomas Perale

Commit e8c54ffb3d ("utils/generate-cyclonedx: generate vcs
externalReferences for source repos") added externalReferences to the source
code of packages.

This unfortunately causes issues with packages (in br2-external) fetching
from git using the scp-like syntax, E.G.:

 FOO_SITE_METHOD = git
 FOO_SITE = git@github.com:<project>/<repo>.git

Which ends up in the SBOM as:

[
  {
    "type": "vcs",
    "url": "git@github.com:<project>/<repo>.git",
    "comment": "git repository"
  }
]

This (correctly) causes Dependency track to reject the SBOM import with:

{
  "status": 400,
  "title": "The uploaded BOM is invalid",
  "detail": "Schema validation failed",
  "errors": [
    "$.components[2].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
    "$.components[2].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
    "$.components[2].externalReferences[0].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$",
   ]
}

The CycloneDX spec indeed requires a URI:

The URI (URL or URN) to the external reference.  External references are
URIs and therefore can accept any URL scheme including https (RFC-7230),
mailto (RFC-2368), tel (RFC-3966), and dns (RFC-4501)

https://cyclonedx.org/docs/1.6/json/#metadata_tools_oneOf_i0_components_items_externalReferences_items_url

The user@host:project/repo.git is a git-specific shorthand for a git-over-ssh URL. From man git-clone:

 Git supports ssh, git, http, and https protocols (in addition, ftp and ftps
 can be used for fetching, but this is inefficient and deprecated; do not use
 them).

 The native transport (i.e.  git:// URL) does no authentication and should
 be used with caution on unsecured networks.

 The following syntaxes may be used with them:

 •   ssh://[user@]host.xz[:port]/path/to/repo.git/
 •   git://host.xz[:port]/path/to/repo.git/
 •   http[s]://host.xz[:port]/path/to/repo.git/
 •   ftp[s]://host.xz[:port]/path/to/repo.git/

 An alternative scp-like syntax may also be used with the ssh protocol:

 •   [user@]host.xz:path/to/repo.git/

So convert the scp-like syntax to ssh:// URLs in parse_uris() for spec
compliance.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 utils/generate-cyclonedx | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
index bade018cd4..df12ee84c0 100755
--- a/utils/generate-cyclonedx
+++ b/utils/generate-cyclonedx
@@ -280,6 +280,12 @@ def parse_uris(uris: list[str]) -> Iterator[tuple[list[str], str]]:
         scheme, _, stripped_uri = uri.partition("+")
         if stripped_uri:
             parsed = urllib.parse.urlparse(stripped_uri)
+
+            # convert scp-style host:path site to ssh:// uri
+            if scheme == "git" and not parsed.scheme:
+                host, _, path = stripped_uri.partition(":")
+                stripped_uri = "ssh://" + host + "/" + path
+
             if parsed.hostname != "sources.buildroot.net":
                 yield scheme.split("|"), stripped_uri
 
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fixup scp-style git sites
  2026-06-19  9:00 [Buildroot] [PATCH] utils/generate-cyclonedx: fixup scp-style git sites Peter Korsgaard
@ 2026-06-20  9:39 ` Thomas Perale via buildroot
  2026-06-21 10:36 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-06-20  9:39 UTC (permalink / raw)
  To: Peter Korsgaard; +Cc: Thomas Perale, buildroot

Hi Peter,

In reply of:
> Commit e8c54ffb3d ("utils/generate-cyclonedx: generate vcs
> externalReferences for source repos") added externalReferences to the source
> code of packages.
> 
> This unfortunately causes issues with packages (in br2-external) fetching
> from git using the scp-like syntax, E.G.:
> 
>  FOO_SITE_METHOD = git
>  FOO_SITE = git@github.com:<project>/<repo>.git
> 
> Which ends up in the SBOM as:
> 
> [
>   {
>     "type": "vcs",
>     "url": "git@github.com:<project>/<repo>.git",
>     "comment": "git repository"
>   }
> ]
> 
> This (correctly) causes Dependency track to reject the SBOM import with:
> 
> {
>   "status": 400,
>   "title": "The uploaded BOM is invalid",
>   "detail": "Schema validation failed",
>   "errors": [
>     "$.components[2].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
>     "$.components[2].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
>     "$.components[2].externalReferences[0].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$",
>    ]
> }
> 
> The CycloneDX spec indeed requires a URI:
> 
> The URI (URL or URN) to the external reference.  External references are
> URIs and therefore can accept any URL scheme including https (RFC-7230),
> mailto (RFC-2368), tel (RFC-3966), and dns (RFC-4501)
> 
> https://cyclonedx.org/docs/1.6/json/#metadata_tools_oneOf_i0_components_items_externalReferences_items_url
> 
> The user@host:project/repo.git is a git-specific shorthand for a git-over-ssh URL. From man git-clone:
> 
>  Git supports ssh, git, http, and https protocols (in addition, ftp and ftps
>  can be used for fetching, but this is inefficient and deprecated; do not use
>  them).
> 
>  The native transport (i.e.  git:// URL) does no authentication and should
>  be used with caution on unsecured networks.
> 
>  The following syntaxes may be used with them:
> 
>  •   ssh://[user@]host.xz[:port]/path/to/repo.git/
>  •   git://host.xz[:port]/path/to/repo.git/
>  •   http[s]://host.xz[:port]/path/to/repo.git/
>  •   ftp[s]://host.xz[:port]/path/to/repo.git/
> 
>  An alternative scp-like syntax may also be used with the ssh protocol:
> 
>  •   [user@]host.xz:path/to/repo.git/
> 
> So convert the scp-like syntax to ssh:// URLs in parse_uris() for spec
> compliance.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

I see that "downloads" section from "show-info" are not tested on the
generate-cyclonedx tests yet. I will add this later.

Thanks for the detailled description !

Acked-By: Thomas Perale <thomas.perale@mind.be>

> ---
>  utils/generate-cyclonedx | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index bade018cd4..df12ee84c0 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -280,6 +280,12 @@ def parse_uris(uris: list[str]) -> Iterator[tuple[list[str], str]]:
>          scheme, _, stripped_uri = uri.partition("+")
>          if stripped_uri:
>              parsed = urllib.parse.urlparse(stripped_uri)
> +
> +            # convert scp-style host:path site to ssh:// uri
> +            if scheme == "git" and not parsed.scheme:
> +                host, _, path = stripped_uri.partition(":")
> +                stripped_uri = "ssh://" + host + "/" + path
> +
>              if parsed.hostname != "sources.buildroot.net":
>                  yield scheme.split("|"), stripped_uri
>  
> -- 
> 2.47.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fixup scp-style git sites
  2026-06-19  9:00 [Buildroot] [PATCH] utils/generate-cyclonedx: fixup scp-style git sites Peter Korsgaard
  2026-06-20  9:39 ` Thomas Perale via buildroot
@ 2026-06-21 10:36 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2026-06-21 10:36 UTC (permalink / raw)
  To: buildroot; +Cc: Thomas Perale

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Commit e8c54ffb3d ("utils/generate-cyclonedx: generate vcs
 > externalReferences for source repos") added externalReferences to the source
 > code of packages.

 > This unfortunately causes issues with packages (in br2-external) fetching
 > from git using the scp-like syntax, E.G.:

 >  FOO_SITE_METHOD = git
 >  FOO_SITE = git@github.com:<project>/<repo>.git

 > Which ends up in the SBOM as:

 > [
 >   {
 >     "type": "vcs",
 >     "url": "git@github.com:<project>/<repo>.git",
 >     "comment": "git repository"
 >   }
 > ]

 > This (correctly) causes Dependency track to reject the SBOM import with:

 > {
 >   "status": 400,
 >   "title": "The uploaded BOM is invalid",
 >   "detail": "Schema validation failed",
 >   "errors": [
 >     "$.components[2].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
 >     "$.components[2].externalReferences[0].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference",
 >     "$.components[2].externalReferences[0].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$",
 >    ]
 > }

 > The CycloneDX spec indeed requires a URI:

 > The URI (URL or URN) to the external reference.  External references are
 > URIs and therefore can accept any URL scheme including https (RFC-7230),
 > mailto (RFC-2368), tel (RFC-3966), and dns (RFC-4501)

 > https://cyclonedx.org/docs/1.6/json/#metadata_tools_oneOf_i0_components_items_externalReferences_items_url

 > The user@host:project/repo.git is a git-specific shorthand for a git-over-ssh URL. From man git-clone:

 >  Git supports ssh, git, http, and https protocols (in addition, ftp and ftps
 >  can be used for fetching, but this is inefficient and deprecated; do not use
 >  them).

 >  The native transport (i.e.  git:// URL) does no authentication and should
 >  be used with caution on unsecured networks.

 >  The following syntaxes may be used with them:

 >  •   ssh://[user@]host.xz[:port]/path/to/repo.git/
 >  •   git://host.xz[:port]/path/to/repo.git/
 >  •   http[s]://host.xz[:port]/path/to/repo.git/
 >  •   ftp[s]://host.xz[:port]/path/to/repo.git/

 >  An alternative scp-like syntax may also be used with the ssh protocol:

 >  •   [user@]host.xz:path/to/repo.git/

 > So convert the scp-like syntax to ssh:// URLs in parse_uris() for spec
 > compliance.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-21 10:36 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-19  9:00 [Buildroot] [PATCH] utils/generate-cyclonedx: fixup scp-style git sites Peter Korsgaard
2026-06-20  9:39 ` Thomas Perale via buildroot
2026-06-21 10:36 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox