Validation of sbom file fails when externalReferences url is ssh from GitHub

[owegelid]

cyclonedx validate fails when metadata.component.externalReferences[0].url is pointing to a url like this:

• ssh://git@github.com:my-org/my-repo.git

If I change the : after github.com to /, then the validation works.

I did put an issue on cyclonedx-gradle-plugin but according to them this is a valid format.
More information in the issue:

• Validation of sbom file fails for Git VCS url when the remote is using ssh from GitHub cyclonedx-gradle-plugin#615

To Reproduce

1. Set the externalReferences[0].url to ssh://git@github.com:my-org/my-repo.git like this:

bom.json:

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.6",
  "serialNumber" : "urn:uuid:3877e445-1356-42b3-b11e-b0e2d46e87e7",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2025-05-15T09:32:44Z",
    "tools" : {
      "components" : [
        {
          "type" : "application",
          "author" : "CycloneDX",
          "name" : "cyclonedx-gradle-plugin",
          "version" : "2.3.0"
        }
      ],
      "services" : [ ]
    },
    "component" : {
      "type" : "application",
      "externalReferences" : [
        {
          "type" : "vcs",
          "url" : "ssh://git@github.com:my-org/my-repo.git"
        }
      ]
    },
  },
...

3. Validate the SBOM file:

$ cyclonedx --version
0.27.2+f934c99826339cb8dbb83b439eb2c465fb253fb3

$ cyclonedx validate --input-file bom.json 
Validation failed:
Value does not match format "iri-reference"
http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/url/anyOf/0
On instance: /metadata/component/externalReferences/0/url:
ssh://git@github.com:my-org/my-repo.git
Value does not match format "iri-reference"
The string value is not a match for the indicated regular expression
http://cyclonedx.org/schema/bom-1.6.schema.json#/definitions/bomLinkDocumentType
On instance: /metadata/component/externalReferences/0/url:
ssh://git@github.com:my-org/my-repo.git
Value does not match format "iri-reference"
The string value is not a match for the indicated regular expression
http://cyclonedx.org/schema/bom-1.6.schema.json#/definitions/bomLinkElementType
On instance: /metadata/component/externalReferences/0/url:
ssh://git@github.com:my-org/my-repo.git
Unable to validate against any JSON schemas.
BOM is not valid.

[andreas-hilti]

I'm not sure whether ssh://git@github.com:my-org/my-repo.git is in indeed a valid iri-reference reference.
One would need to dig deep into:
https://datatracker.ietf.org/doc/html/rfc3987

In any case, the validation that the cli uses comes directly from JsonSchema.Net. In other words, if it needs to be fixed, it needs to be fixed there.

http://pypi.python.org/pypi/rfc3987 also declares it as invalid:

from rfc3987 import parse
parse('ssh://git@github.com:my-org/my-repo.git', rule='IRI')

gives

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "[...]\site-packages\rfc3987.py", line 462, in parse
    raise ValueError('%r is not a valid %r.' % (string, rule))
ValueError: 'ssh://git@github.com:my-org/my-repo.git' is not a valid 'IRI'.

It doesn't like the part starting from the second colon, i.e. this works:
parse('ssh://git@github.com', rule='IRI')
gives
{'scheme': 'ssh', 'authority': 'git@github.com', 'path': '', 'query': None, 'fragment': None}

[owegelid]

Thank you for the investigation.

I tried to take a look in the spec and found this:

When authority is present, the path must either be empty or begin with a slash ("/") character.

• https://datatracker.ietf.org/doc/html/rfc3986#section-3

I also tried to validate the URI with https://0mg.github.io/tools/uri/. ssh://git@github.com:my-org/my-repo.git is NOT valid with the : but works when using a / instead (ssh://git@github.com/my-org/my-repo.git).

Without knowing a lot about the spec of the format, it feels like the validation is correct and that the URI with the : is invalid...