Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect URL encoding of package url (purl) #3533

Open
wbradley94 opened this issue Dec 17, 2024 · 3 comments
Open

Incorrect URL encoding of package url (purl) #3533

wbradley94 opened this issue Dec 17, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@wbradley94
Copy link

Description

Specifically, when running a syft scan with the "-o spdx-json" flag, the "+" characters in the packages' referenceLocator field is incorrectly encoded as the space character %20 when it should be encoded as %2B.

This regressed in v1.14.2; looking at v1.14.1...v1.14.2 my suspicion is this change to the package-url go package: #3347.

Example: a package with "referenceLocator": "pkg:generic/SafeInt?vcs_url=git+https://github.com/dcleblanc/SafeInt@1619e36802d928e6d9af0ab38bcc1269ff77f1ad" becomes "referenceLocator": "pkg:generic/SafeInt?vcs_url=git%20https://github.com/dcleblanc/SafeInt@1619e36802d928e6d9af0ab38bcc1269ff77f1ad".

Confirmed that it is correctly encoded with "%2B" when using syft v1.14.1 or earlier.

Environment:

  • Output of syft version:
    Application: syft
    Version: 1.14.2
    BuildDate: 2024-10-21T17:20:31Z
    GitCommit: e4e985b
    GitDescription: v1.14.2
    Platform: linux/amd64
    GoVersion: go1.22.8
    Compiler: gc

  • OS (e.g: cat /etc/os-release or similar):
    NAME="Common Base Linux Mariner"
    VERSION="2.0.20241208"
    ID=mariner
    VERSION_ID="2.0"
    PRETTY_NAME="CBL-Mariner/Linux"
    ANSI_COLOR="1;34"
    HOME_URL="https://aka.ms/cbl-mariner"
    BUG_REPORT_URL="https://aka.ms/cbl-mariner"
    SUPPORT_URL="https://aka.ms/cbl-mariner"

@wbradley94 wbradley94 added the bug Something isn't working label Dec 17, 2024
@popey
Copy link
Contributor

popey commented Dec 18, 2024

Hi @wbradley94 - thanks for filing the issue. I've tried reproducing this, but I can't craft a docker container that triggers this issue. Do you have some simple, minimal steps to reproduce the problem?

I'm interested. Have you tried a newer version of Syft? The current release is v1.18.1. I'm not suggesting it's fixed, but as I cannot craft a reproducible set of steps, this might be worthwhile.

Also...


Welcome to our community! Here are some links to help on your journey.


-- Alan Pope - Director, Developer Relations. Anchore

@wbradley94
Copy link
Author

Hi @popey , this can be reproduced by creating an image containing a "/usr/local/extra_sbom.spdx.json" file with a package in this format. Example extra_sbom.spdx.json and Dockerfile files are below.

extra_sbom.spdx.json

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-syft-3533",
  "name": "syft-3533-extra",
  "creationInfo": {
    "created": "2025-03-01T10:00:15Z",
    "creators": [
      "Tool: syft-1.11.0"
    ]
  },
  "documentNamespace": "https://spdx.org/spdxdocs/syft-issue-3533",
  "packages": [
    {
      "SPDXID": "SPDXRef-syft-issue-3533-Package-1",
      "name": "SafeInt",
      "versionInfo": "1619e36802d928e6d9af0ab38bcc1269ff77f1ad",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "licenseComments": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:generic/SafeInt?vcs_url=git+https://github.com/dcleblanc/SafeInt@1619e36802d928e6d9af0ab38bcc1269ff77f1ad"
        }
      ]
    }
  ]
}

Dockerfile

FROM alpine:3.21.0
COPY extra_sbom.spdx.json /usr/local/extra_sbom.spdx.json
LABEL org.opencontainers.image.source="syft3533"
LABEL org.opencontainers.image.version="1.0.0"

Then run docker build -t syft/issue-3533 . and syft scan syft/issue-3533 -o spdx-json --override-default-catalogers all --scope all-layers > spdx-syft.json.

I've confirmed that this reproduces on the latest version of syft, 1.18.1.

@wbradley94
Copy link
Author

Hi @popey, is there an update on this?
I was hoping it would have been fixed in 1.19.0 after taking #3596, but it is still incorrectly encoding "+" characters as %20 instead of %2B.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: No status
Development

No branches or pull requests

2 participants