URI cleanup for JSON

[stevespringett]

Ensure consistency for all URI/URLs to be defined as strings that must conform to the iri-reference format.

[coderpatros]

LGTM, do we have valid/invalid tests for those?

[stevespringett]

LGTM, do we have valid/invalid tests for those?

Good point. No, but let me add that.

[stevespringett]

Valid test cases were committed with #71 which added support for hashes in references. The json test includes urls which passed validation. So in terms of backward compatibility, we should be good.

However, creating an invalid test seems to be problematic. I haven't been able to get it to properly fail. According to https://json-schema.org/understanding-json-schema/reference/string.html:

JSON Schema implementations are not required to implement this part of the specification, and many of them do not.

According to https://opis.io/json-schema/2.x/formats.html#iri-reference, the following should fail, but does not:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "publisher": "Acme Inc",
      "group": "org.example",
      "name": "mylibrary",
      "version": "1.0.0",
      "externalReferences": [
        {
          "type": "bom",
          "url": "\"\\\\\\\\WINDOWS\\\\filëßåré\""
        }
      ]
    }
  ]
}

If I change the JSON Schema to only accept uuid as the format, then validation fails like it should. I think most JSON schema validators have such a loose interpretation of iri-reference that everything basically passes. So I don't think it possible to add an invalid test case here.

[coderpatros]

Working with JSON schema is so infuriating sometimes.