Jfrog Artifactory Xray SBOM - pURL parsing issue.

[sebocampo]

Hello,

I am attempting to add my CycloneDX BOM generated from JFrog Artifactory Xray. We are using Maven packages and when the SBOM is generated, the pURL seems to be in an incorrect format.
When the SBOM is generated, each dependency has a format of: e.g
pkg:maven/org.apache.commons:[email protected]

When the proper format that is expected by DependencyTrack (and the pURL spec) is supposed to be like:

pkg:maven/org.apache.commons/[email protected]

I have not found a way to modify this through the Artifactory Repository Layout option or any other option. When passing in this SBOM, no pURL's are being added to my components therefore showing no vulnerabilities. I've searched these discussions, documentation and haven't found out the solution to this.

anyone else working with Maven, Artifactory, Xray have any sort of input or experience with this?

Or is there an option in DependencyTrack to accept this different format??

Any help would be greatly appreciated.

Thank you,

[VinodAnandan]

"pkg:maven/org.apache.commons:[email protected]" is not a valid PURL, please check the link below to find more details about the PURL. I think you may have to raise the issue with Xray/JFrog to fix this issue.

https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst