feat: improved sbom filename extension handling codeql fix

Author: Saksham-Sirohi

cve_bin_tool/sbom_manager/sbom_detection.py

@@ -3,6 +3,7 @@
 
 import json
 from typing import Optional
+from urllib.parse import urlparse
 
 import defusedxml.ElementTree as ET
 
@@ -51,15 +52,22 @@ def sbom_detection(file_path: str) -> Optional[str]:
             try:
                 tree = ET.parse(file_path)
                 root = tree.getroot()
-                namespace = (
+                namespace_uri = (
                     root.tag.split("}", 1)[0].strip("{") if "}" in root.tag else ""
                 )
 
                 # Check CycloneDX namespace
-                if "cyclonedx.org" in namespace and validate_cyclonedx(file_path):
+                parsed_uri = urlparse(namespace_uri)
+                domain = parsed_uri.netloc.lower()
+                if (
+                    domain == "cyclonedx.org" or domain.endswith(".cyclonedx.org")
+                ) and validate_cyclonedx(file_path):
                     return "cyclonedx"
                 # Check SWID by root tag and namespace
-                elif root.tag.endswith("SoftwareIdentity") and "iso/19770" in namespace:
+                elif (
+                    root.tag.endswith("SoftwareIdentity")
+                    and "iso/19770" in namespace_uri
+                ):
                     return "swid"
             except ET.ParseError as e:
                 LOGGER.debug(f"XML parsing error for {file_path}: {str(e)}")
@@ -109,15 +117,24 @@ def detect_sbom_type_from_content(file_path: str) -> Optional[str]:
             try:
                 tree = ET.parse(file_path)
                 root = tree.getroot()
-                namespace = (
+                namespace_uri = (
                     root.tag.split("}", 1)[0].strip("{") if "}" in root.tag else ""
                 )
 
-                if "cyclonedx.org" in namespace:
+                # Check CycloneDX namespace
+                parsed_cyclonedx_uri = urlparse(namespace_uri)
+                cyclonedx_domain = parsed_cyclonedx_uri.netloc.lower()
+                if cyclonedx_domain == "cyclonedx.org" or cyclonedx_domain.endswith(
+                    ".cyclonedx.org"
+                ):
                     return "cyclonedx"
-                elif "iso/19770" in namespace:
+                # Check SWID namespace
+                elif "iso/19770" in namespace_uri:
                     return "swid"
-                elif "spdx.org" in namespace:
+                # Check SPDX namespace
+                parsed_spdx_uri = urlparse(namespace_uri)
+                spdx_domain = parsed_spdx_uri.netloc.lower()
+                if spdx_domain == "spdx.org" or spdx_domain.endswith(".spdx.org"):
                     return "spdx"
             except ET.ParseError:
                 pass