softwareRequirements: Validate values are URL + make isUrl stricter

Without this check, users would be allowed to write free text even though Codemeta
forbids it.

We only noticed this when jsonld.js started rewriting 'foo: bar' to ' bar' because
it was parsing 'foo:' as an invalid URI scheme and stripping it.

Author: progval

cypress/integration/special_fields.js

@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2020  The Software Heritage developers
+ * Copyright (C) 2020-2024  The Software Heritage developers
  * See the AUTHORS file at the top-level directory of this distribution
  * License: GNU Affero General Public License version 3, or any later version
  * See top-level LICENSE file for more information
@@ -10,6 +10,7 @@
  */
 
 "use strict";
+
 describe('Funder id', function() {
     it('can be exported', function() {
         cy.get('#name').type('My Test Software');
@@ -88,3 +89,91 @@ describe('Funder name', function() {
     });
 });
 
+describe('Software requirements', function() {
+    it('can be exported as multiple values', function() {
+        cy.get('#name').type('My Test Software');
+
+        cy.get('#softwareRequirements').type('https://www.gtk.org\nhttps://github.com/anholt/libepoxy\nhttps://github.com/GNOME/libxml2');
+
+        cy.get('#generateCodemetaV2').click();
+
+        cy.get('#errorMessage').should('have.text', '');
+        cy.get('#codemetaText').then((elem) => JSON.parse(elem.text()))
+            .should('deep.equal', {
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": [
+                    "https://www.gtk.org",
+                    "https://github.com/anholt/libepoxy",
+                    "https://github.com/GNOME/libxml2",
+                ]
+            });
+    });
+
+    it('can be imported from multiple values', function() {
+        cy.get('#codemetaText').then((elem) =>
+            elem.text(JSON.stringify({
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "@type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": [
+                    "https://www.gtk.org",
+                    "https://github.com/anholt/libepoxy",
+                    "https://github.com/GNOME/libxml2",
+                ]
+            }))
+        );
+        cy.get('#importCodemeta').click();
+
+        cy.get('#softwareRequirements').should('have.value', 'https://www.gtk.org\nhttps://github.com/anholt/libepoxy\nhttps://github.com/GNOME/libxml2');
+    });
+
+    it('can be exported to a single URI', function() {
+        cy.get('#name').type('My Test Software');
+
+        cy.get('#softwareRequirements').type('https://github.com/GNOME/libxml2');
+
+        cy.get('#generateCodemetaV2').click();
+
+        cy.get('#errorMessage').should('have.text', '');
+        cy.get('#codemetaText').then((elem) => JSON.parse(elem.text()))
+            .should('deep.equal', {
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": "https://github.com/GNOME/libxml2",
+            });
+    });
+
+    it('can be imported from a single URI', function() {
+        cy.get('#codemetaText').then((elem) =>
+            elem.text(JSON.stringify({
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "@type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": "https://github.com/GNOME/libxml2",
+            }))
+        );
+        cy.get('#importCodemeta').click();
+
+        cy.get('#softwareRequirements').should('have.value', 'https://github.com/GNOME/libxml2');
+    });
+
+    it('cannot be exported as text', function() {
+        cy.get('#name').type('My Test Software');
+
+        cy.get('#softwareRequirements').type('libxml2');
+
+        cy.get('#generateCodemetaV2').click();
+
+        cy.get('#errorMessage').should('have.text', 'Invalid URL in field "softwareRequirements": "libxml2"');
+        cy.get('#codemetaText').then((elem) => JSON.parse(elem.text()))
+            .should('deep.equal', {
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": [],
+            });
+    });
+});

js/codemeta_generation.js

@@ -98,12 +98,14 @@ const directCodemetaFields = [
     'referencePublication'
 ];
 
+// Tuples of codemeta property, character joining/splitting items in a textarea, and optionally
+// post-processing for deserialization and pre-processing for deserialization
 const splittedCodemetaFields = [
     ['keywords', ','],
     ['programmingLanguage', ','],
     ['runtimePlatform', ','],
     ['operatingSystem', ','],
-    ['softwareRequirements', '\n'],
+    ['softwareRequirements', '\n', generateUri, importUri],
     ['relatedLink', '\n'],
 ]
 
@@ -136,6 +138,17 @@ function generateBlankNodeId(customId) {
     return `_:${customId}`;
 }
 
+// Unambiguously converts a free-form text field that might be a URI or actual free text
+// in JSON-LD
+function generateUri(fieldName, text) {
+    if (isUrl(text)) {
+        return {"@id": text};
+    } else {
+        setError(`Invalid URL in field "${fieldName}": "${text}"`);
+        return undefined;
+    }
+}
+
 function generateShortOrg(fieldName) {
     var affiliation = getIfSet(fieldName);
     if (affiliation !== undefined) {
@@ -246,9 +259,15 @@ async function buildExpandedDocWithAllContexts() {
     splittedCodemetaFields.forEach(function (item, index) {
         const id = item[0];
         const separator = item[1];
-        const value = getIfSet('#' + id);
+        const serializer = item[2];
+        const deserializer = item[3];
+        let value = getIfSet('#' + id);
         if (value !== undefined) {
-            doc[id] = value.split(separator).map(trimSpaces);
+            value = value.split(separator).map(trimSpaces);
+            if (serializer !== undefined) {
+                value = value.map((item) => serializer(id, item));
+            }
+            doc[id] = value;
         }
     });
 
@@ -307,6 +326,11 @@ async function generateCodemeta(codemetaVersion = "2.0") {
     }
 }
 
+// Imports a field that can be either URI or free-form text into a free-form text field
+function importUri(fieldName, doc) {
+    return doc;
+}
+
 // Imports a single field (name or @id) from an Organization.
 function importShortOrg(fieldName, doc) {
     if (doc !== undefined) {
@@ -433,10 +457,19 @@ async function importCodemeta() {
     splittedCodemetaFields.forEach(function (item, index) {
         const id = item[0];
         const separator = item[1];
+        const serializer = item[2];
+        const deserializer = item[3];
         let value = doc[id];
         if (value !== undefined) {
             if (Array.isArray(value)) {
+                if (deserializer !== undefined) {
+                    value = value.map((item) => deserializer(id, item));
+                }
                 value = value.join(separator);
+            } else {
+                if (deserializer !== undefined) {
+                    value = deserializer(id, value);
+                }
             }
             setIfDefined('#' + id, value);
         }

js/utils.js

@@ -28,7 +28,11 @@ function trimSpaces(s) {
 // From https://stackoverflow.com/a/43467144
 function isUrl(s) {
     try {
-        new URL(s);
+        const url = new URL(s);
+        if (url.origin == "null") {
+            // forbids "foo: bar" as a URL, for example
+            return false;
+        }
         return true;
     } catch (e) {
         return false;

js/validation/things.js

@@ -217,7 +217,7 @@ var softwareFieldValidators = {
     "processorRequirements": validateTexts,
     "releaseNotes": validateTextsOrUrls,
     "softwareHelp": validateCreativeWorks,
-    "softwareRequirements": noValidation, // TODO: validate SoftwareSourceCode
+    "softwareRequirements": validateUrls,
     "softwareVersion": validateText, // TODO?
     "storageRequirements": validateTextsOrUrls,
     "supportingData": noValidation, // TODO