Fix VcpkgComponent purl construction for names containing slashes (#1752)

JamieMagee · web-flow · commit 8f1a8b6ac65b · 2026-03-31T16:44:26.000Z
* Fix VcpkgComponent throwing on names with slashes

VcpkgComponent.PackageUrl built purl strings by interpolating
this.Name directly, e.g. $"pkg:vcpkg/{this.Name}@{this.Version}".
Vcpkg SPDX entries can have names like "google/brotli", which the
parser then misinterprets as namespace/name path segments. Names
with consecutive slashes cause an "empty segment" exception.

Use the PackageUrl component constructor instead, which treats
the name as a single component and percent-encodes it properly.

* Add regression test
diff --git a/src/Microsoft.ComponentDetection.Contracts/TypedComponent/VcpkgComponent.cs b/src/Microsoft.ComponentDetection.Contracts/TypedComponent/VcpkgComponent.cs
@@ -1,6 +1,7 @@
 #nullable disable
 namespace Microsoft.ComponentDetection.Contracts.TypedComponent;
 
+using System.Collections.Generic;
 using System.Text.Json.Serialization;
 using PackageUrl;
 
@@ -53,18 +54,11 @@ public override PackageUrl PackageUrl
     {
         get
         {
-            if (this.PortVersion > 0)
-            {
-                return new PackageUrl($"pkg:vcpkg/{this.Name}@{this.Version}?port_version={this.PortVersion}");
-            }
-            else if (this.Version != null)
-            {
-                return new PackageUrl($"pkg:vcpkg/{this.Name}@{this.Version}");
-            }
-            else
-            {
-                return new PackageUrl($"pkg:vcpkg/{this.Name}");
-            }
+            var qualifiers = this.PortVersion > 0
+                ? new SortedDictionary<string, string> { { "port_version", this.PortVersion.ToString() } }
+                : null;
+
+            return new PackageUrl("vcpkg", null, this.Name, this.Version, qualifiers, null);
         }
     }
 
diff --git a/test/Microsoft.ComponentDetection.Detectors.Tests/VcpkgComponentDetectorTests.cs b/test/Microsoft.ComponentDetection.Detectors.Tests/VcpkgComponentDetectorTests.cs
@@ -150,6 +150,59 @@ public async Task TestTinyxmlAndResourceAsync()
         sbomComponent.DownloadLocation.Should().Be("git+https://github.com/leethomason/tinyxml2");
     }
 
+    [TestMethod]
+    public async Task TestResourceWithSlashInNameProducesValidPackageUrlAsync()
+    {
+        var spdxFile = """
+            {
+                "SPDXID": "SPDXRef-DOCUMENT",
+                "documentNamespace": "https://spdx.org/spdxdocs/brotli-x64-windows",
+                "name": "brotli:x64-windows@1.0.9",
+                "packages": [
+                    {
+                        "name": "brotli",
+                        "SPDXID": "SPDXRef-port",
+                        "versionInfo": "1.0.9#0",
+                        "downloadLocation": "git+https://github.com/Microsoft/vcpkg#ports/brotli",
+                        "licenseConcluded": "NOASSERTION",
+                        "licenseDeclared": "NOASSERTION",
+                        "copyrightText": "NOASSERTION"
+                    },
+                    {
+                        "SPDXID": "SPDXRef-resource-1",
+                        "name": "google/brotli",
+                        "downloadLocation": "git+https://github.com/google/brotli@1.0.9",
+                        "licenseConcluded": "NOASSERTION",
+                        "licenseDeclared": "NOASSERTION",
+                        "copyrightText": "NOASSERTION"
+                    }
+                ]
+            }
+            """;
+        var (scanResult, componentRecorder) = await this
+            .detectorTestUtility.WithFile("vcpkg.spdx.json", spdxFile)
+            .ExecuteDetectorAsync();
+
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+
+        var detectedComponents = componentRecorder.GetDetectedComponents();
+        var components = detectedComponents.ToList();
+
+        components.Should().HaveCount(2);
+
+        var resourceComponent = (VcpkgComponent)components
+                .First(c => ((VcpkgComponent)c.Component).SPDXID == "SPDXRef-resource-1")
+                .Component;
+        resourceComponent.Name.Should().Be("google/brotli");
+        resourceComponent.Version.Should().Be("1.0.9");
+
+        // This was the bug: names with slashes caused MalformedPackageUrlException
+        var purl = resourceComponent.PackageUrl;
+        purl.Should().NotBeNull();
+        purl.ToString().Should().Contain("vcpkg");
+        purl.ToString().Should().Contain("brotli");
+    }
+
     [TestMethod]
     public async Task TestBlankJsonAsync()
     {
