Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Component.copyright should be escaped when serializing to XML #538

Open
nnobelis opened this issue Oct 18, 2024 · 1 comment
Open

Component.copyright should be escaped when serializing to XML #538

nnobelis opened this issue Oct 18, 2024 · 1 comment

Comments

@nnobelis
Copy link

We are running in an exception with cyclonedx-core-java version 9.1.0

org.cyclonedx.exception.GeneratorException: com.fasterxml.jackson.databind.JsonMappingException: Invalid white space character (0x1) in text to 
output (in xml 1.1, could output as a character entity) (through reference chain: org.cyclonedx.model.Bom["component"]->java.util.ArrayList[164]-
>org.cyclonedx.model.Component["copyright"]) at 
org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporter.writeBom(CycloneDxReporter.kt:369) at 
org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporterKt.access$generateBom(CycloneDxReporter.kt:1) at 
org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporterKt.generateBom(CycloneDxReporter.kt:394) at 
org.cyclonedx.generators.xml.BomXmlGenerator.toXmlString(BomXmlGenerator.java:131) at 
org.cyclonedx.generators.xml.BomXmlGenerator.toXML(BomXmlGenerator.java:116)

When we try to generate a CycloneDXBOM in XML. This is the BOM in JSON:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:92ccb333-391c-4224-877f-cba7ba8c372e",
  "version": 1,
  "metadata": {
    "timestamp": "2024-10-18T12:29:38Z",
    "tools": {
      "components": [
        {
          "type": "application",
          "name": "OSS Review Toolkit",
          "version": "IDE-SNAPSHOT"
        }
      ]
    },
    "licenses": [
      {
        "expression": "CC0-1.0"
      }
    ]
  },
  "components": [
    
    {
      "type": "library",
      "bom-ref": "NPM:@ort:no-license-file:1.0",
      "group": "@ort",
      "name": "no-license-file",
      "version": "1.0",
      "description": "",
      "scope": "required",
      "licenses": [
        {
          "license": {
            "id": "MIT",
            "text": {
              "contentType": "plain/text",
              "content": "Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
            }
          }
        }
      ],
      "copyright": "Portions created by the Initial Developer are Copyright (c) 2002 the Initial Developer, holder is Tim Hudson (tjh@cryptsoft.com), Objc, (c) Objv, \u0002 \u0002 \u0001A\u0002\u0002\u0001o\u0002\u0012 AB, Copyright (c)",
      "purl": "pkg:npm/%40ort/no-license-file@1.0",
      "modified": false,
      "externalReferences": [
        {
          "type": "website",
          "url": "https://github.com/oss-review-toolkit/ort"
        }
      ]
    }
  ]
}

The problem are the special characters in component.copyright.

It seems the component.evidence.copyright is handled by a special serializer EvidenceSerializer that wraps the copyright in CDATA e.g.

cyclonedx-core-java/src/test/resources/1.5/valid-evidence-1.5.xml

Line 27 in 6cfef32

<text><![CDATA[Copyright 2012 Google Inc. All Rights Reserved.]]></text>

Would it be possible to have the same handling for component.copyright ?
@nnobelis nnobelis mentioned this issue Oct 18, 2024
Closed
@nnobelis
Copy link
Author

Please note that this issue is not as trivial as adding @JacksonXmlCData to Component.copyright.

Even with it, the validation of the XML produced fails with:

org.cyclonedx.exception.ParseException: An invalid XML character (Unicode: 0x2) was found in the CDATA section.

This is because the CDATA section in XML must only contain valid XML characters : https://www.w3.org/TR/xml/#sec-cdata-sect.

Therefore, an extra sanitization is also required.

nnobelis added a commit to boschglobal/oss-review-toolkit that referenced this issue Nov 20, 2024
@nnobelis
fix(cyclonedx): Sanitize copyrights for the CycloneDX XML report
74767a5 
Some characters in copyrights cannot be outputted to XML. Therefore,
sanitize the copyrights content for XML.
Please note that this is not optimal as this does the sanitization also for
JSON output which is not required. Originally, it was intended to do a fix
in the library upstream. Unfortunately, this is not trivial (see [1]).

[1]: CycloneDX/cyclonedx-core-java#538 (comment)

Signed-off-by: Nicolas Nobelis <nicolas.nobelis@bosch.com>
nnobelis added a commit to boschglobal/oss-review-toolkit that referenced this issue Nov 20, 2024
@nnobelis
fix(cyclonedx): Sanitize copyrights for the CycloneDX XML report
d791e35 
Some characters in copyrights cannot be outputted to XML. Therefore,
sanitize the copyrights content for XML.
Please note that this is not optimal as this does the sanitization also for
JSON output which is not required. Originally, it was intended to do a fix
in the library upstream. Unfortunately, this is not trivial (see [1]).

[1]: CycloneDX/cyclonedx-core-java#538 (comment)

Signed-off-by: Nicolas Nobelis <nicolas.nobelis@bosch.com>
@nnobelis nnobelis mentioned this issue Nov 20, 2024
Merged
nnobelis added a commit to boschglobal/oss-review-toolkit that referenced this issue Nov 20, 2024
@nnobelis
fix(cyclonedx): Sanitize copyrights for the CycloneDX XML report
d26ebf0 
Some characters in copyrights cannot be outputted to XML. Therefore,
sanitize the copyrights content for XML.
Please note that this is not optimal as this does the sanitization also for
JSON output which is not required. Originally, it was intended to do a fix
in the library upstream. Unfortunately, this is not trivial (see [1]).

[1]: CycloneDX/cyclonedx-core-java#538 (comment)

Signed-off-by: Nicolas Nobelis <nicolas.nobelis@bosch.com>
nnobelis added a commit to boschglobal/oss-review-toolkit that referenced this issue Nov 20, 2024
@nnobelis
fix(cyclonedx): Sanitize copyrights for the CycloneDX XML report
fa64c17 
Some characters in copyrights cannot be outputted to XML. Therefore,
sanitize the copyrights content for XML.
Please note that this is not optimal as this does the sanitization also for
JSON output which is not required. Originally, it was intended to do a fix
in the library upstream. Unfortunately, this is not trivial (see [1]).

[1]: CycloneDX/cyclonedx-core-java#538 (comment)

Signed-off-by: Nicolas Nobelis <nicolas.nobelis@bosch.com>
nnobelis added a commit to boschglobal/oss-review-toolkit that referenced this issue Nov 20, 2024
@nnobelis
fix(cyclonedx): Sanitize copyrights for the CycloneDX XML report
970c638 
Some characters in copyrights cannot be outputted to XML. Therefore,
sanitize the copyrights content for XML.
Please note that this is not optimal as this does the sanitization also for
JSON output which is not required. Originally, it was intended to do a fix
in the library upstream. Unfortunately, this is not trivial (see [1]).

[1]: CycloneDX/cyclonedx-core-java#538 (comment)

Signed-off-by: Nicolas Nobelis <nicolas.nobelis@bosch.com>
nnobelis added a commit to oss-review-toolkit/ort that referenced this issue Nov 20, 2024
@nnobelis
fix(cyclonedx): Sanitize copyrights for the CycloneDX XML report
5371ce8 
Some characters in copyrights cannot be outputted to XML. Therefore,
sanitize the copyrights content for XML.
Please note that this is not optimal as this does the sanitization also for
JSON output which is not required. Originally, it was intended to do a fix
in the library upstream. Unfortunately, this is not trivial (see [1]).

[1]: CycloneDX/cyclonedx-core-java#538 (comment)

Signed-off-by: Nicolas Nobelis <nicolas.nobelis@bosch.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nnobelis