Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failure on SBOM from cdxgen 11.0.0 #2263

Open
metametadata opened this issue Nov 16, 2024 · 1 comment
Open

Failure on SBOM from cdxgen 11.0.0 #2263

metametadata opened this issue Nov 16, 2024 · 1 comment
Assignees
Labels
bug Something isn't working

Comments

@metametadata
Copy link

metametadata commented Nov 16, 2024

What happened:

failed to catalog: unable to decode sbom: unable to decode cyclonedx json document: json: cannot unmarshal array into Go struct field Evidence.components.evidence.identity of type cyclonedx.EvidenceIdentity

What you expected to happen:

No error.

How to reproduce it (as minimally and precisely as possible):

Use cdxgen 11.0.0 to generate an SBOM from pom.xml:

CDXGEN_DEBUG_MODE=debug PREFER_MAVEN_DEPS_TREE=true cdxgen --fail-on-error --no-include-formulation --no-recurse --output sbom.json --type java

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0    http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>foo</groupId>
  <artifactId>bar</artifactId>
  <packaging>jar</packaging>
  <version>1.0.0</version>
  <name>foo</name>
  <dependencies>
    <dependency>
      <groupId>com.mysql</groupId>
      <artifactId>mysql-connector-j</artifactId>
      <version>9.0.0</version>
    </dependency>
  </dependencies>
</project>

Then run Grype 0.84.0:

grype sbom.json

sbom.json:

Click me
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:427c8220-455c-4270-8639-f63001b38d46",
  "version": 1,
  "metadata": {
    "timestamp": "2024-11-16T21:58:42Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "11.0.0",
          "purl": "pkg:npm/%40cyclonedx/cdxgen@11.0.0",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/cdxgen@11.0.0",
          "publisher": "OWASP Foundation",
          "authors": [
            {
              "name": "OWASP Foundation"
            }
          ]
        }
      ]
    },
    "authors": [
      {
        "name": "OWASP Foundation"
      }
    ],
    "lifecycles": [
      {
        "phase": "build"
      }
    ],
    "component": {
      "group": "foo",
      "name": "bar",
      "version": "1.0.0",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ],
      "purl": "pkg:maven/foo/bar@1.0.0?type=jar",
      "bom-ref": "pkg:maven/foo/bar@1.0.0?type=jar",
      "type": "application"
    },
    "properties": [
      {
        "name": "cdx:bom:componentTypes",
        "value": "maven"
      },
      {
        "name": "cdx:bom:componentNamespaces",
        "value": "com.google.protobuf\\ncom.mysql"
      }
    ]
  },
  "components": [
    {
      "group": "com.mysql",
      "name": "mysql-connector-j",
      "version": "9.0.0",
      "scope": "required",
      "purl": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar",
      "type": "library",
      "bom-ref": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar",
      "evidence": {
        "identity": [
          {
            "field": "purl",
            "confidence": 0.5,
            "methods": [
              {
                "technique": "manifest-analysis",
                "confidence": 0.5,
                "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
              }
            ]
          }
        ]
      },
      "properties": [
        {
          "name": "cdx:maven:component_scope",
          "value": "compile"
        },
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ]
    },
    {
      "group": "com.google.protobuf",
      "name": "protobuf-java",
      "version": "4.26.1",
      "scope": "required",
      "purl": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar",
      "type": "library",
      "bom-ref": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar",
      "evidence": {
        "identity": [
          {
            "field": "purl",
            "confidence": 0.5,
            "methods": [
              {
                "technique": "manifest-analysis",
                "confidence": 0.5,
                "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
              }
            ]
          }
        ]
      },
      "properties": [
        {
          "name": "cdx:maven:component_scope",
          "value": "compile"
        },
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/foo/bar@1.0.0?type=jar",
      "dependsOn": [
        "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar",
      "dependsOn": [
        "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar",
      "dependsOn": []
    }
  ],
  "annotations": []
}

Notes

Differences between 10.10.7 (works with Grype) and 11.0.0 cdxgen output:

Screenshot 2024-11-17 at 00 12 27 Screenshot 2024-11-17 at 00 12 37 Screenshot 2024-11-17 at 00 12 45

sbom.json from cdxgen 10.10.7:

Click me
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:fb64f67b-e07b-473c-bac0-d0d298266cea",
  "version": 1,
  "metadata": {
    "timestamp": "2024-11-16T21:56:39Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "10.10.7",
          "purl": "pkg:npm/%40cyclonedx/cdxgen@10.10.7",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.10.7",
          "author": "OWASP Foundation",
          "publisher": "OWASP Foundation"
        }
      ]
    },
    "authors": [
      {
        "name": "OWASP Foundation"
      }
    ],
    "lifecycles": [
      {
        "phase": "build"
      }
    ],
    "component": {
      "group": "foo",
      "name": "bar",
      "version": "1.0.0",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ],
      "purl": "pkg:maven/foo/bar@1.0.0?type=jar",
      "bom-ref": "pkg:maven/foo/bar@1.0.0?type=jar",
      "type": "application"
    },
    "properties": [
      {
        "name": "cdx:bom:componentTypes",
        "value": "maven"
      },
      {
        "name": "cdx:bom:componentNamespaces",
        "value": "com.google.protobuf\\ncom.mysql"
      }
    ]
  },
  "components": [
    {
      "group": "com.mysql",
      "name": "mysql-connector-j",
      "version": "9.0.0",
      "scope": "required",
      "purl": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar",
      "type": "library",
      "bom-ref": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar",
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.5,
          "methods": [
            {
              "technique": "manifest-analysis",
              "confidence": 0.5,
              "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
            }
          ]
        }
      },
      "properties": [
        {
          "name": "cdx:maven:component_scope",
          "value": "compile"
        },
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ]
    },
    {
      "group": "com.google.protobuf",
      "name": "protobuf-java",
      "version": "4.26.1",
      "scope": "required",
      "purl": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar",
      "type": "library",
      "bom-ref": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar",
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.5,
          "methods": [
            {
              "technique": "manifest-analysis",
              "confidence": 0.5,
              "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
            }
          ]
        }
      },
      "properties": [
        {
          "name": "cdx:maven:component_scope",
          "value": "compile"
        },
        {
          "name": "SrcFile",
          "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/foo/bar@1.0.0?type=jar",
      "dependsOn": [
        "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar",
      "dependsOn": [
        "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar",
      "dependsOn": []
    }
  ]
}
@metametadata metametadata added the bug Something isn't working label Nov 16, 2024
@metametadata metametadata changed the title Failure on SBOM with authors array Failure on SBOM from cdxgen 11.0.0 Nov 16, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Nov 20, 2024

@metametadata thanks for the issue here. I've tracked down the changes in the cds schema to:
https://cyclonedx.org/schema/bom-1.6.schema.json

If you search this page for "title": "Identity Evidence", you'll see it has been updated to be oneOf which could be an object or list of identity objects.

Grype and Syft have not been updated to this latest schema. I've added this work to our backlog so we can update the schemas to the latest changes and get new versions of the tooling out.

Dev note: who ever picks this up might want to look at how we do these schema updates going forward. Currently it's a manual process that has not been run in 5 months. We might want more automation to cover if something changes in the specifications.

@spiffcs spiffcs moved this to Ready in OSS Nov 20, 2024
@spiffcs spiffcs moved this from Ready to In Progress in OSS Nov 21, 2024
@spiffcs spiffcs self-assigned this Nov 21, 2024
@spiffcs spiffcs moved this from In Progress to Stalled in OSS Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Stalled
Development

No branches or pull requests

2 participants