Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure on SBOM from cdxgen 11.0.0 #2263

Open
metametadata opened this issue Nov 16, 2024 · 3 comments
Open

Failure on SBOM from cdxgen 11.0.0 #2263

metametadata opened this issue Nov 16, 2024 · 3 comments
Assignees
@spiffcs
Labels
bug Something isn't working

Comments

@metametadata
Copy link

metametadata commented Nov 16, 2024
edited
Loading

What happened:

failed to catalog: unable to decode sbom: unable to decode cyclonedx json document: json: cannot unmarshal array into Go struct field Evidence.components.evidence.identity of type cyclonedx.EvidenceIdentity

What you expected to happen:

No error.

How to reproduce it (as minimally and precisely as possible):

Use cdxgen 11.0.0 to generate an SBOM from pom.xml:

CDXGEN_DEBUG_MODE=debug PREFER_MAVEN_DEPS_TREE=true cdxgen --fail-on-error --no-include-formulation --no-recurse --output sbom.json --type java

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0    http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>foo</groupId>
  <artifactId>bar</artifactId>
  <packaging>jar</packaging>
  <version>1.0.0</version>
  <name>foo</name>
  <dependencies>
    <dependency>
      <groupId>com.mysql</groupId>
      <artifactId>mysql-connector-j</artifactId>
      <version>9.0.0</version>
    </dependency>
  </dependencies>
</project>

Then run Grype 0.84.0:

grype sbom.json

sbom.json:

Click me 
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:427c8220-455c-4270-8639-f63001b38d46",
  "version": 1,
  "metadata": {
    "timestamp": "2024-11-16T21:58:42Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "11.0.0",
          "purl": "pkg:npm/%40cyclonedx/[email protected]",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/[email protected]",
          "publisher": "OWASP Foundation",
          "authors": [
            {
              "name": "OWASP Foundation"
            }
          ]
        }
      ]
    },
    "authors": [
      {
        "name": "OWASP Foundation"
      }
    ],
    "lifecycles": [
      {
        "phase": "build"
      }
    ],
    "component": {
      "group": "foo",
      "name": "bar",
      "version": "1.0.0",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ],
      "purl": "pkg:maven/foo/[email protected]?type=jar",
      "bom-ref": "pkg:maven/foo/[email protected]?type=jar",
      "type": "application"
    },
    "properties": [
      {
        "name": "cdx:bom:componentTypes",
        "value": "maven"
      },
      {
        "name": "cdx:bom:componentNamespaces",
        "value": "com.google.protobuf\\ncom.mysql"
      }
    ]
  },
  "components": [
    {
      "group": "com.mysql",
      "name": "mysql-connector-j",
      "version": "9.0.0",
      "scope": "required",
      "purl": "pkg:maven/com.mysql/[email protected]?type=jar",
      "type": "library",
      "bom-ref": "pkg:maven/com.mysql/[email protected]?type=jar",
      "evidence": {
        "identity": [
          {
            "field": "purl",
            "confidence": 0.5,
            "methods": [
              {
                "technique": "manifest-analysis",
                "confidence": 0.5,
                "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
              }
            ]
          }
        ]
      },
      "properties": [
        {
          "name": "cdx:maven:component_scope",
          "value": "compile"
        },
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ]
    },
    {
      "group": "com.google.protobuf",
      "name": "protobuf-java",
      "version": "4.26.1",
      "scope": "required",
      "purl": "pkg:maven/com.google.protobuf/[email protected]?type=jar",
      "type": "library",
      "bom-ref": "pkg:maven/com.google.protobuf/[email protected]?type=jar",
      "evidence": {
        "identity": [
          {
            "field": "purl",
            "confidence": 0.5,
            "methods": [
              {
                "technique": "manifest-analysis",
                "confidence": 0.5,
                "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
              }
            ]
          }
        ]
      },
      "properties": [
        {
          "name": "cdx:maven:component_scope",
          "value": "compile"
        },
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/foo/[email protected]?type=jar",
      "dependsOn": [
        "pkg:maven/com.mysql/[email protected]?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.mysql/[email protected]?type=jar",
      "dependsOn": [
        "pkg:maven/com.google.protobuf/[email protected]?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.google.protobuf/[email protected]?type=jar",
      "dependsOn": []
    }
  ],
  "annotations": []
}

Notes

Differences between 10.10.7 (works with Grype) and 11.0.0 cdxgen output:

Screenshot 2024-11-17 at 00 12 27 Screenshot 2024-11-17 at 00 12 37 Screenshot 2024-11-17 at 00 12 45

sbom.json from cdxgen 10.10.7:

Click me 
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:fb64f67b-e07b-473c-bac0-d0d298266cea",
  "version": 1,
  "metadata": {
    "timestamp": "2024-11-16T21:56:39Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "10.10.7",
          "purl": "pkg:npm/%40cyclonedx/[email protected]",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/[email protected]",
          "author": "OWASP Foundation",
          "publisher": "OWASP Foundation"
        }
      ]
    },
    "authors": [
      {
        "name": "OWASP Foundation"
      }
    ],
    "lifecycles": [
      {
        "phase": "build"
      }
    ],
    "component": {
      "group": "foo",
      "name": "bar",
      "version": "1.0.0",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ],
      "purl": "pkg:maven/foo/[email protected]?type=jar",
      "bom-ref": "pkg:maven/foo/[email protected]?type=jar",
      "type": "application"
    },
    "properties": [
      {
        "name": "cdx:bom:componentTypes",
        "value": "maven"
      },
      {
        "name": "cdx:bom:componentNamespaces",
        "value": "com.google.protobuf\\ncom.mysql"
      }
    ]
  },
  "components": [
    {
      "group": "com.mysql",
      "name": "mysql-connector-j",
      "version": "9.0.0",
      "scope": "required",
      "purl": "pkg:maven/com.mysql/[email protected]?type=jar",
      "type": "library",
      "bom-ref": "pkg:maven/com.mysql/[email protected]?type=jar",
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.5,
          "methods": [
            {
              "technique": "manifest-analysis",
              "confidence": 0.5,
              "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
            }
          ]
        }
      },
      "properties": [
        {
          "name": "cdx:maven:component_scope",
          "value": "compile"
        },
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ]
    },
    {
      "group": "com.google.protobuf",
      "name": "protobuf-java",
      "version": "4.26.1",
      "scope": "required",
      "purl": "pkg:maven/com.google.protobuf/[email protected]?type=jar",
      "type": "library",
      "bom-ref": "pkg:maven/com.google.protobuf/[email protected]?type=jar",
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.5,
          "methods": [
            {
              "technique": "manifest-analysis",
              "confidence": 0.5,
              "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
            }
          ]
        }
      },
      "properties": [
        {
          "name": "cdx:maven:component_scope",
          "value": "compile"
        },
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/foo/[email protected]?type=jar",
      "dependsOn": [
        "pkg:maven/com.mysql/[email protected]?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.mysql/[email protected]?type=jar",
      "dependsOn": [
        "pkg:maven/com.google.protobuf/[email protected]?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.google.protobuf/[email protected]?type=jar",
      "dependsOn": []
    }
  ]
}
@metametadata metametadata added the bug Something isn't working label Nov 16, 2024
@metametadata metametadata changed the title Failure on SBOM with authors array Failure on SBOM from cdxgen 11.0.0 Nov 16, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Nov 20, 2024

@metametadata thanks for the issue here. I've tracked down the changes in the cds schema to:
https://cyclonedx.org/schema/bom-1.6.schema.json

If you search this page for "title": "Identity Evidence", you'll see it has been updated to be oneOf which could be an object or list of identity objects.

Grype and Syft have not been updated to this latest schema. I've added this work to our backlog so we can update the schemas to the latest changes and get new versions of the tooling out.

Dev note: who ever picks this up might want to look at how we do these schema updates going forward. Currently it's a manual process that has not been run in 5 months. We might want more automation to cover if something changes in the specifications.

@spiffcs spiffcs moved this to Ready in OSS Nov 20, 2024
@spiffcs spiffcs moved this from Ready to In Progress in OSS Nov 21, 2024
@spiffcs spiffcs self-assigned this Nov 21, 2024
@spiffcs spiffcs moved this from In Progress to Stalled in OSS Dec 17, 2024
@spiffcs spiffcs moved this from Stalled to In Progress in OSS Jan 23, 2025
@metametadata
Copy link
Author

Not reproducible with Grype 0.87.0. Can be closed probably.

@spiffcs
Copy link
Contributor

spiffcs commented Jan 30, 2025

We're still working out some process so that grype can automatically consume updates from syft regarding any changes in how it processes/recognizes changes in the cdx specification. I'm going to leave this open for now and follow up with a comment summarizing the current state of that conflict between the tooling.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spiffcs spiffcs

Labels
bug Something isn't working
Projects
OSS
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
2 participants
@metametadata @spiffcs