Fixes Invalid SBoM created when projects uses ssh

Move out the purl logic and add tests for it. Also add support for Bitbucket PURLs

Author: spoorcc

CHANGELOG.rst

@@ -2,6 +2,7 @@ Release 0.11.0 (unreleased)
 ====================================
 
 * Don't show animation when running in CI (#702)
+* Improve logic for creating Purls in SBoM (#780)
 
 Release 0.10.0 (released 2025-03-12)
 ====================================

dfetch/reporting/sbom_reporter.py

@@ -16,8 +16,7 @@
 """
 
 import json
-import re
-from typing import List, cast
+from typing import cast
 
 from cyclonedx.model import (
     ExternalReference,
@@ -31,18 +30,15 @@
 from cyclonedx.output import get_instance
 from cyclonedx.output.json import Json
 from cyclonedx.schema import OutputFormat
-from packageurl import PackageURL
 
-import dfetch.util.util
+import dfetch.util.purl
 from dfetch.manifest.project import ProjectEntry
 from dfetch.reporting.reporter import Reporter
 
 
 class SbomReporter(Reporter):
     """Reporter for generating SBoM's."""
 
-    url_splitter = re.compile(r"([^\/)]+)")
-    github_url = re.compile(r"github.com\/(?P<group>.+)\/(?P<repo>[^\s\.]+)[\.]?")
     dfetch_tool = Tool(vendor="dfetch-org", name="dfetch", version=dfetch.__version__)
 
     name = "SBoM"
@@ -56,56 +52,31 @@ def add_project(
         self, project: ProjectEntry, license_name: str, version: str
     ) -> None:
         """Add a project to the report."""
-        match = self.github_url.search(project.remote_url)
-        if match:
-            component = Component(
-                name=project.name,
-                version=version,
-                type=ComponentType.LIBRARY,
-                purl=PackageURL(
-                    type="github",
-                    name=match.group("repo"),
-                    version=version,
-                    namespace=match.group("group"),
-                    subpath=project.source or None,
-                ),
-            )
-        else:
-            parts = self._split_url(project.remote_url)
-            component = Component(
-                name=project.name,
-                version=version,
-                type=ComponentType.LIBRARY,
-                purl=PackageURL(
-                    type="generic",
-                    version=version,
-                    qualifiers=f"download_url={project.remote_url}",
-                    namespace="/".join(parts),
-                    subpath=project.source or None,
-                    name=project.name,
-                ),
-                group="/".join(parts),
-            )
+        purl = dfetch.util.purl.remote_url_to_purl(
+            project.remote_url, version=version, subpath=project.source or None
+        )
+
+        component = Component(
+            name=project.name,
+            version=version,
+            type=ComponentType.LIBRARY,
+            purl=purl,
+        )
+
+        if purl.type not in ["github", "bitbucket"]:
+            component.group = purl.namespace
+
             component.external_references.add(
                 ExternalReference(
                     type=ExternalReferenceType.VCS,
-                    url=XsUri(project.remote_url),
+                    url=XsUri(purl.qualifiers.get("vcs_url", "")),
                 )
             )
 
         if license_name:
             component.licenses.add(LicenseChoice(expression=license_name))
         self._bom.components.add(component)
 
-    @staticmethod
-    def _split_url(url: str) -> List[str]:
-        """Split the url in elements."""
-        return [
-            part.group()
-            for part in SbomReporter.url_splitter.finditer(url)
-            if not part.group().endswith(":")  # Skip protocol specifiers
-        ]
-
     def dump_to_file(self, outfile: str) -> bool:
         """Dump the SBoM to file."""
         output_format = OutputFormat(

dfetch/util/purl.py

@@ -0,0 +1,175 @@
+"""Module to convert remote URLs to valid Package URLs (PURLs).
+
+Supports: GitHub, Bitbucket, SVN, SSH paths, and more.
+"""
+
+import re
+from typing import Optional
+from urllib.parse import urlparse
+
+from packageurl import PackageURL
+from tldextract import TLDExtract
+
+NO_FETCH_EXTRACT = TLDExtract(suffix_list_urls=())
+SSH_REGEX = re.compile(
+    r"^(?:git@|git\+ssh://git@)(?P<host>[^/:]+)[:/](?P<path>.+?)(?:\.git)?$"
+)
+
+GITHUB_REGEX = re.compile(
+    r".*github\.com(?::\d+)?[:/](?P<org>[^/]+)/(?P<repo>[^/]+?)(?:\.git)?$",
+    re.IGNORECASE,
+)
+
+BITBUCKET_REGEX = re.compile(
+    r".*bitbucket\.org(?::\d+)?[:/](?P<org>[^/]+)/(?P<repo>[^/]+?)(?:\.git)?$",
+    re.IGNORECASE,
+)
+
+
+def _handle_github(
+    remote_url: str,
+    _: str,
+    version: Optional[str],
+    subpath: Optional[str],
+) -> Optional[PackageURL]:
+    """Handler for GitHub URLs."""
+    match = GITHUB_REGEX.match(remote_url)
+    if match:
+        return PackageURL(
+            type="github",
+            namespace=match.group("org"),
+            name=match.group("repo"),
+            version=version,
+            subpath=subpath,
+        )
+    return None
+
+
+def _handle_bitbucket(
+    remote_url: str,
+    _: str,
+    version: Optional[str],
+    subpath: Optional[str],
+) -> Optional[PackageURL]:
+    """Handler for Bitbucket URLs."""
+    match = BITBUCKET_REGEX.match(remote_url)
+    if match:
+        return PackageURL(
+            type="bitbucket",
+            namespace=match.group("org"),
+            name=match.group("repo"),
+            version=version,
+            subpath=subpath,
+        )
+    return None
+
+
+def _handle_svn(
+    remote_url: str,
+    path: str,
+    version: Optional[str],
+    subpath: Optional[str],
+) -> Optional[PackageURL]:
+    """Handler for SVN URLs."""
+    parsed = urlparse(remote_url)
+    if "svn" in parsed.scheme or "svn." in parsed.netloc:
+        domain = NO_FETCH_EXTRACT(parsed.netloc).domain
+
+        parts: list[str] = [domain]
+        if path:
+            parts.extend(path.split("/"))
+        name = parts[-1] if parts else "unknown"
+        namespace = "/".join(parts[:-1])
+
+        return PackageURL(
+            type="generic",
+            namespace=namespace,
+            name=name,
+            version=version,
+            qualifiers={"vcs_url": remote_url},
+            subpath=subpath,
+        )
+    return None
+
+
+def _handle_ssh(
+    remote_url: str,
+    path: str,
+    version: Optional[str],
+    subpath: Optional[str],
+) -> Optional[PackageURL]:
+    """Handler for SSH URLs."""
+    match = SSH_REGEX.match(remote_url)
+    if match:
+        domain = NO_FETCH_EXTRACT(match.group("host")).domain
+
+        parts: list[str] = []
+        if domain not in ["gitlab", "gitea", "gitee"]:
+            parts.append(domain)
+
+        path = match.group("path")
+        if path:
+            parts.extend(path.replace(".git", "").split("/"))
+        name = parts[-1] if parts else "unknown"
+        namespace = "/".join(parts[:-1])
+        return PackageURL(
+            type="generic",
+            namespace=namespace,
+            name=name,
+            version=version,
+            qualifiers={"vcs_url": remote_url},
+            subpath=subpath,
+        )
+    return None
+
+
+def _handle_generic(
+    remote_url: str,
+    path: str,
+    version: Optional[str],
+    subpath: Optional[str],
+) -> PackageURL:
+    """Fallback handler for generic URLs."""
+    domain = NO_FETCH_EXTRACT(remote_url).domain
+
+    parts: list[str] = []
+    if domain not in ["gitlab", "gitea", "gitee"]:
+        parts.append(domain)
+
+    if path:
+        parts.extend(path.replace(".git", "").split("/"))
+    name = parts[-1] if parts else "unknown"
+    namespace = "/".join(parts[:-1])
+    return PackageURL(
+        type="generic",
+        namespace=namespace,
+        name=name,
+        version=version,
+        qualifiers={"vcs_url": remote_url},
+        subpath=subpath,
+    )
+
+
+def remote_url_to_purl(
+    remote_url: str, version: Optional[str] = None, subpath: Optional[str] = None
+) -> PackageURL:
+    """Convert a remote URL to a valid PackageURL object.
+
+    Supports GitHub, Bitbucket, SVN, SSH paths.
+    Optionally specify version and subpath.
+    """
+    parsed = urlparse(remote_url)
+    path = parsed.path.lstrip("/")
+
+    handlers: list = [
+        _handle_github,
+        _handle_bitbucket,
+        _handle_svn,
+        _handle_ssh,
+    ]
+    for handler in handlers:
+        result: Optional[PackageURL] = handler(remote_url, path, version, subpath)
+        if result is not None:
+            return result
+
+    return _handle_generic(remote_url, path, version, subpath)

doc/legal.rst

@@ -489,3 +489,41 @@ Sarif-om
     LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
     OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
     SOFTWARE
+
+TLDExtract
+~~~~~~~~~~
+`TLDExtract`_ is used for extracting the top-level domain from URLs.
+
+::
+
+    BSD 3-Clause License
+
+    Copyright (c) 2013-2025, John Kurkowski
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice, this
+    list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+    3. Neither the name of the copyright holder nor the names of its
+    contributors may be used to endorse or promote products derived from
+    this software without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+    AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+    DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+    FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+    DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+    SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+    CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+    OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+.. _`TLDExtract`: https://github.com/john-kurkowski/tldextract

pyproject.toml

@@ -49,6 +49,7 @@ dependencies = [
     "typing-extensions==4.7.1; python_version <= '3.7.0'",
     "typing-extensions==4.13.2; python_version <= '3.8.0'",
     "typing-extensions==4.15.0; python_version > '3.8.0'",
+    "tldextract==5.3.0",
     "sarif-om==1.0.4",
     "semver==3.0.4",
     "patch-ng==1.18.1",