Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(sbom): disable html escaping for CycloneDX #5764

Merged
merged 1 commit into from
Dec 17, 2023
Merged

refactor(sbom): disable html escaping for CycloneDX #5764

merged 1 commit into from
Dec 17, 2023
+610 −608

Conversation

DmitriyLewen
Copy link
Contributor

Description

Disable HTML escaping for CycloneDX.
Purl has already escaped all the necessary characters:
https://github.com/package-url/packageurl-go/blob/fe183c1943ec36f257fae7143e160978217104b6/packageurl.go#L369-L394

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Dec 11, 2023
@DmitriyLewen DmitriyLewen marked this pull request as ready for review December 11, 2023 07:07
knqyf263
knqyf263 reviewed Dec 11, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried that disabling HTML escape has any side effects. For example, the description may have special characters.

@DmitriyLewen
Copy link
Contributor Author

DmitriyLewen commented Dec 11, 2023
edited

by default encoding/json package escapes special characters (for json).
e.g.:
vulnerability description: Description: jQuery before 3.4.0, as used" in Drupal
result - jQuery before 3.4.0, as used\" in Drupal

Do you think this is not enough?

@knqyf263
Copy link
Collaborator

So, why does CycloneDX apply HTML-escaping by default? Meaningless for us?

@ben-spiller
Copy link

CycloneDX doesn't apply HTML escaping. The Package URL format is based on URL syntax/escaping not HTML syntax/escaping, so any use of additional HTML escaping after the URL was generated makes it invalid and not conform to the specification.

@DmitriyLewen
Copy link
Contributor Author

I didn't find info why we need to escape html characters.

I checked CycloneDX examples and component descriptions contain non-escaped characters - https://github.com/CycloneDX/bom-examples/blob/7d529848e2f8bd65d03aec9eab16f139fd445ff4/SBOM/juice-shop/via_npm/flat/bom.1.4.json#L50746

I asked about this in slack channel - https://cycledx.slack.com/archives/C01PZRT73K9/p1702444970519159.
Let's wait for an answer.

@DmitriyLewen
Copy link
Contributor Author

Looks like we can merge this PR - https://cyclonedx.slack.com/archives/C01PZRT73K9/p1702549347993479?thread_ts=1702526083.019229&cid=C01PZRT73K9

knqyf263
knqyf263 approved these changes Dec 17, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for confirming!

@knqyf263 knqyf263 added this pull request to the merge queue Dec 17, 2023
Merged via the queue into aquasecurity:main with commit df49ea4 Dec 17, 2023
12 checks passed
@DmitriyLewen DmitriyLewen deleted the fix/unescape-html-cyclonedx branch December 18, 2023 04:21
@DmitriyLewen DmitriyLewen mentioned this pull request Dec 19, 2023
Merged
6 tasks
juan131 pushed a commit to juan131/trivy that referenced this pull request Dec 19, 2023
@DmitriyLewen @juan131
refactor(sbom): disable html escaping for CycloneDX (aquasecurity#5764)
cff5f71
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

@chen-keinan chen-keinan Awaiting requested review from chen-keinan chen-keinan is a code owner

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Invalid & qualifier escaping in purl of CycloneDX JSON
3 participants
@DmitriyLewen @knqyf263 @ben-spiller