fix(cyclonedx): trim non-URL info for advisory.url (#6952)

Author: DmitriyLewen

pkg/sbom/cyclonedx/marshal.go

@@ -3,6 +3,7 @@ package cyclonedx
 import (
 	"context"
 	"fmt"
+	"net/url"
 	"slices"
 	"sort"
 	"strconv"
@@ -332,6 +333,10 @@ func (*Marshaler) affects(ref, version string) cdx.Affects {
 func (*Marshaler) advisories(refs []string) *[]cdx.Advisory {
 	refs = lo.Uniq(refs)
 	advs := lo.FilterMap(refs, func(ref string, _ int) (cdx.Advisory, bool) {
+		// There are cases when `ref` contains extra info
+		// But we need to use only URL.
+		// cf. https://github.com/aquasecurity/trivy/issues/6801
+		ref = trimNonUrlInfo(ref)
 		return cdx.Advisory{URL: ref}, ref != ""
 	})
 
@@ -345,6 +350,17 @@ func (*Marshaler) advisories(refs []string) *[]cdx.Advisory {
 	return &advs
 }
 
+// trimNonUrlInfo returns first valid URL.
+func trimNonUrlInfo(ref string) string {
+	ss := strings.Split(ref, " ")
+	for _, s := range ss {
+		if u, err := url.Parse(s); err == nil && u.Scheme != "" && u.Host != "" {
+			return s
+		}
+	}
+	return ""
+}
+
 func (m *Marshaler) marshalVulnerability(bomRef string, vuln core.Vulnerability) *cdx.Vulnerability {
 	v := &cdx.Vulnerability{
 		ID:          vuln.ID,

pkg/sbom/cyclonedx/marshal_test.go

@@ -847,8 +847,8 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 										},
 									},
 									References: []string{
-										"http://www.openwall.com/lists/oss-security/2022/02/11/5",
-										"https://access.redhat.com/security/cve/CVE-2022-23633",
+										"  extraPrefix http://www.openwall.com/lists/oss-security/2022/02/11/5",
+										"https://access.redhat.com/security/cve/CVE-2022-23633 (extra suffix)",
 									},
 									PublishedDate:    lo.ToPtr(time.Date(2022, 2, 11, 21, 15, 0, 0, time.UTC)),
 									LastModifiedDate: lo.ToPtr(time.Date(2022, 2, 22, 21, 47, 0, 0, time.UTC)),