-
Notifications
You must be signed in to change notification settings - Fork 598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect URL encoding of package url (purl) #3533
Comments
Hi @wbradley94 - thanks for filing the issue. I've tried reproducing this, but I can't craft a docker container that triggers this issue. Do you have some simple, minimal steps to reproduce the problem? I'm interested. Have you tried a newer version of Syft? The current release is v1.18.1. I'm not suggesting it's fixed, but as I cannot craft a reproducible set of steps, this might be worthwhile. Also... Welcome to our community! Here are some links to help on your journey.
|
Hi @popey , this can be reproduced by creating an image containing a "/usr/local/extra_sbom.spdx.json" file with a package in this format. Example extra_sbom.spdx.json and Dockerfile files are below. extra_sbom.spdx.json
Dockerfile
Then run I've confirmed that this reproduces on the latest version of syft, 1.18.1. |
Description
Specifically, when running a syft scan with the "-o spdx-json" flag, the "+" characters in the packages' referenceLocator field is incorrectly encoded as the space character %20 when it should be encoded as %2B.
This regressed in v1.14.2; looking at v1.14.1...v1.14.2 my suspicion is this change to the package-url go package: #3347.
Example: a package with "referenceLocator": "pkg:generic/SafeInt?vcs_url=git+https://github.com/dcleblanc/SafeInt@1619e36802d928e6d9af0ab38bcc1269ff77f1ad" becomes "referenceLocator": "pkg:generic/SafeInt?vcs_url=git%20https://github.com/dcleblanc/SafeInt@1619e36802d928e6d9af0ab38bcc1269ff77f1ad".
Confirmed that it is correctly encoded with "%2B" when using syft v1.14.1 or earlier.
Environment:
Output of
syft version
:Application: syft
Version: 1.14.2
BuildDate: 2024-10-21T17:20:31Z
GitCommit: e4e985b
GitDescription: v1.14.2
Platform: linux/amd64
GoVersion: go1.22.8
Compiler: gc
OS (e.g:
cat /etc/os-release
or similar):NAME="Common Base Linux Mariner"
VERSION="2.0.20241208"
ID=mariner
VERSION_ID="2.0"
PRETTY_NAME="CBL-Mariner/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://aka.ms/cbl-mariner"
BUG_REPORT_URL="https://aka.ms/cbl-mariner"
SUPPORT_URL="https://aka.ms/cbl-mariner"
The text was updated successfully, but these errors were encountered: