.vulnerabilities[].advisories[].url does not match the iri-reference pattern

[black-snow]

Description

BOM validation reports an invalid url and, in fact, trivy seems to have generated:

"url": "https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc (2.4.0)"

(an IRI must not contain spaces)

Desired Behavior

Should be a valid IRI

Actual Behavior

Invalid IRI generated

Reproduction Steps

1. set up a project containing [email protected]
2. generate an OCI image from it (fs should work, too - haven't checked)
3. run `trivy` with `--format=cyclonedx` on it and check the generated SBOM

Target

Container Image

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

It runs within our pipeline. I can debug manually if required.

Operating System

macOS, Ubuntu

Version

0.51.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

Ubuntu contains the invalid URL in their advisory.
https://github.com/aquasecurity/vuln-list/blob/88661e296323aecce7cb46f8123f9072845c2c11/ubuntu/2022/CVE-2022-29217.json#L8

[black-snow]

Dang, thanks. Any idea where to report this?

I wonder if this still classifies as a bug, though. If you ask trivy to generate a cyclonedx report and it doesn't, for whatever reason, this does taste like a bug to me. What would be a sane alternative? Fail altogether? Barely. Omitting the erroneous entry with a warning, I guess.

[black-snow]

For reference: https://ubuntu.com/security/CVE-2022-29217

[knqyf263]

If you click a reference in the Ubuntu page, it returns 404. It's a bug on their side. However, it is possible to add processing for such corrupted data on the Trivy side.

[black-snow]

As opposed to ubuntu, for debian it's done correctly.

[knqyf263]

Yes, mistake, ubuntu.

[knqyf263]

Created #6801