Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant)

[edonadei]

What happened:
When trying to scan a folder that contains a jar, Syft is creating a package of that jar without versionInfo.
An example can be found here: https://github.com/google/tink/tree/master/java_src/examples/android/helloworld/gradle/wrapper

It will generate an entry like this:

{
   "name": "gradle-wrapper",
   "SPDXID": "SPDXRef-Package-java-archive-gradle-wrapper-df62e5252291c51c",
   "downloadLocation": "NOASSERTION",
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "079675260ae4ff9d6bc0179c7ca1d1422af2a57c"
    }
   ],
   "sourceInfo": "acquired package info from installed java archive: java_src/examples/android/helloworld/gradle/wrapper/gradle-wrapper.jar",
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle-wrapper:gradle-wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle-wrapper:gradle_wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle_wrapper:gradle-wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle_wrapper:gradle_wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },

What you expected to happen:
I'm not sure what's the expected good answer here. When opening that Jar, there is no manifest to be scanned upon for Syft to get any additional metadata.

I suppose it would be either:

• Not adding the jar as package as it does not give any factual information on any package
• Failing the scan and noticing the user that the package does not has any metadata to be scanned?

Steps to reproduce the issue:

git clone https://github.com/google/tink.git
cd tink
syft .

Anything else we need to know?:
I used this checker to verify if the SBOM is compliant https://github.com/spdx/ntia-conformance-checker.

Environment:

• Output of syft version: v.0.87.1
• OS (e.g: cat /etc/os-release or similar): Ubuntu

[tgerla]

Hi @edonadei, thanks for the report. We're discussing this problem and we've come up with a couple of possible behaviors in these kinds of cases:

• error out and refuse to create an NTIA-non-compliant SPDX entirely
• make a file record instead of a package record if we can't determine the package version
• create a package record but populate the version field with a special string that indicates "we don't know", which the user would then need to resolve manually.
• we could also implement an "NTIA mode" in Syft that would produce an SBOM with placeholder values for the unknown fields required by NTIA

I think we have enough information to move forward on this, so we'll put this in backlog, but we would be glad to hear your feedback on these ideas and discuss them.