[BUG] repository with git ssh url end up violating CycloneDX json schema

## Describe the bug

For projects that have a git SSH url in the `repository` section, this url ends up as `externalReference` in the generated SBOM.
This is URL violates the JSON schema `iri-reference`. We ran into this in [DependencyTrack](https://github.com/DependencyTrack/dependency-track/issues/3885)

## To Reproduce

Add a git ssh url to your `repository` section in the `package.json`

```
  "repository": {
    "type": "git",
    "url": "git@gitlab.dontcare.com:group/repo.git"
  },
```

## Expected behavior

Although the input URL doesn't adhere to the `iri-reference` spec, it might be possible to convert these urls into a `git+ssh://...` style url. Similar to what is already done for known saas hosting platforms via https://www.npmjs.com/package/hosted-git-info

## Screenshots or output-paste

Generated bom output:

```
 "externalReferences": [
        {
          "type": "vcs",
          "url": "git@gitlab.dontcare.com:group/repo.git",
          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
        },
```

## Environment

- _@cyclonedx/cyclonedx-npm_ version: 1.19.0
- NPM version: 9.4.0
- Node version: 19.6.0
- OS: Ubuntu 22.04LTS



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] repository with git ssh url end up violating CycloneDX json schema #1198

valentijnscholten
openedon Jun 28, 2024

Describe the bug

To Reproduce

Expected behavior

Screenshots or output-paste

Environment

Assignees

Labels

Type

Projects

Milestone

Relationships

Development