New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Illegal character '\' generation in CylconeDX-XML. #918
Comments
Thanks for the bug @PatrickYanZ! Do you happen to have the input you used to generate these malformed properties or a public image you can reproduce this with? I'll take a look to see if I can find one, but it's always easier when we're using roughly the same input that was used to produce the initial bug. |
Sorry to jump in on this, but I am having the same issue. Try the image node:15, which will generate this:
These last 2 lines are not correct (& should be |
Related to golang/go#16604 Maybe it should be |
Filed an issue there CycloneDX/cyclonedx-go#31 |
... and created a PR fixing this CycloneDX/cyclonedx-go#32 |
Thanks @derkoe! I'll track that PR and pull in the new version when merged. |
Fixes anchore#918 (XML encoding problem) Signed-off-by: Christian Köberl <christian.koeberl@porscheinformatik.com>
This was closed since the PR was merged, but just wanted to reopen and check the output so we can validate the fix |
It looks like even on main I'm still seeing the illegal character @derkoe it looks like I'll also check and see if there are other places that need this update. |
@spiffcs Backslashes do not have to be escaped in XML AFAIK. Here's a minimal example to reproduce this using the CycloneDX CLI (which is what @PatrickYanZ used as well): <!-- bom.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<properties>
<property name="syft:cpe23">cpe:2.3:a:bibek_kafle_\<bkafle662\@gmail_com\>\,_roland_shoemaker_\<rolandshoemaker\@gmail_com\>:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
</properties>
</metadata>
</bom> $ cyclonedx convert --input-file bom.xml --output-format json
Unhandled exception: System.InvalidOperationException: There is an error in XML document (5, 68).
---> System.Xml.XmlException: The '\' character, hexadecimal value 0x5C, cannot be included in a name. Line 5, position 68.
... The error message is a bit misleading, as <!-- bom.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<properties>
<property name="syft:cpe23">cpe:2.3:a:bibek_kafle_\<bkafle662\@gmail_com\>\,_roland_shoemaker_\<rolandshoemaker\@gmail_com\>:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
</properties>
</metadata>
</bom> $ cyclonedx convert --input-file bom.xml --output-format json
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"metadata": {
"licenses": [],
"properties": [
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:bibek_kafle_\\\u003Cbkafle662\\@gmail_com\\\u003E\\,_roland_shoemaker_\\\u003Crolandshoemaker\\@gmail_com\\\u003E:python_commonmark:0.9.1:*:*:*:*:*:*:*"
}
]
},
"vulnerabilities": []
} So to me it looks like this issue has indeed been fixed. |
Yes Anyway - the issue of invalid CycloneDx XML files is solved. |
The backslashes are required because characters like |
What happened:
2.Some property name is
Processing input file bom-image.xml
Unhandled exception: System.InvalidOperationException: There is an error in XML document (1500, 70).
---> System.Xml.XmlException: The '' character, hexadecimal value 0x5C, cannot be included in a name. Line 1500, position 70.
at System.Xml.XmlTextReaderImpl.Throw(Exception )
at System.Xml.XmlTextReaderImpl.Throw(String , String[] )
at System.Xml.XmlTextReaderImpl.ParseElement()
at System.Xml.XmlTextReaderImpl.ParseElementContent()
at System.Xml.XmlReader.ReadString()
at System.Xml.XmlTextReaderImpl.ReadString()
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read25_Property(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read30_Component(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read50_Bom(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read51_bom()
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle)
at System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream)
at CycloneDX.Xml.Serializer.Deserialize(MemoryStream xmlStream)
at CycloneDX.Xml.Serializer.Deserialize(Stream xmlStream)
at CycloneDX.Cli.CliUtils.InputBomHelper(String filename, CycloneDXBomFormat format)
at CycloneDX.Cli.Commands.MergeCommand.InputBoms(IEnumerable`1 inputFilenames, CycloneDXBomFormat inputFormat, Boolean outputToConsole)
at CycloneDX.Cli.Commands.MergeCommand.Merge(MergeCommandOptions options)
at System.CommandLine.Invocation.CommandHandler.GetExitCodeAsync(Object value, InvocationContext context)
at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass23_0.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass27_0.<b__1>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass25_0.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__24_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass11_0.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__10_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass14_0.<b__0>d.MoveNext()
What you expected to happen:
Convert email to a recognize name. Removing illegal characters in name.
How to reproduce it (as minimally and precisely as possible):
syft packages ${CI_REGISTRY_IMAGE}:${CI_DEFAULT_BRANCH} -o -o cyclonedx=bom-image.xml
Anything else we need to know?:
Environment:
syft version
: 0.42.3cat /etc/os-release
or similar): LinuxThe text was updated successfully, but these errors were encountered: