Supplier information missing in the SBOM

[Naranthiran]

          Hi Tim,

Since BlackDuck team does not have a separate to analyze the SBOM I was not able to give you an update.

But I have one more query regarding the SBOM generated using the syft tool.

I am using the below command to generate the SBOM. I have also attached the SBOM for your reference.

#syft dir:/home/RHEL7WORK/ -o spdx-json=071724minimalos.spdx.json

We have not able to get the supplier information in the SBOM generated. We are using SBOM editor for reviewing the SBOM.

Can you check SBOM and confirm what could be the issue with supplier information or it's available in SBOM and not visible only in the SBOM editor. And are there any tools to check the supplier information?

071724minimalos.spdx.json

Regards
Naranthiran Duraisamy

Originally posted by @Naranthiran in #2840 (comment)

[wagoodman]

It looks like we are pulling vendor info

syft/syft/pkg/cataloger/redhat/parse_rpm_archive.go

Lines 29 to 34 in 034a98f

	licenses, _ := rpm.Header.GetStrings(rpmutils.LICENSE)
	sourceRpm, _ := rpm.Header.GetString(rpmutils.SOURCERPM)
	vendor, _ := rpm.Header.GetString(rpmutils.VENDOR)
	digestAlgorithm := getDigestAlgorithm(rpm.Header)
	size, _ := rpm.Header.InstalledSize()
	files, _ := rpm.Header.GetFiles()

and we're mapping that into the SPDX supplier

syft/syft/format/internal/spdxutil/helpers/originator_supplier.go

Lines 94 to 101 in 034a98f

	case pkg.RpmDBEntry:
	typ = orgType
	author = metadata.Vendor
	case pkg.RpmArchive:
	typ = orgType
	author = metadata.Vendor

it might be that we're not correctly getting the vendor in the cataloger.

We should at the very list start capturing errors to a trace log (they are currently being thrown away) so we can get more visibility into this.

[Naranthiran]

Hi Alex,

If we could have a fix, it would be helpful for us.

Regards
Naranthiran Duraisamy

[kzantow]

Hi @Naranthiran -- are you able to provide a public image or other steps to reproduce this problem?

We have test RPMs that include the vendor information and this information gets properly output as SPDX suppliers, so there may be something else going on here.

Example (from this repo):

cd syft/pkg/cataloger/redhat/test-fixtures
make rpm
syft . -o spdx-json

... includes:

"supplier": "Organization: Fedora Project",

I've added a PR that logs errors when parsing these, it would need debug logging enabled (-vv): #3051

It's possible the RPMs you are scanning simply may be missing this information, but there could be something else going on here. Without more information it will be hard to make any more changes to improve this, though.

[Naranthiran]

HI Keith Zantow,

I am trying to generate the SBOM with RedHat 7.9 packages.

Steps to reproduce:
1)Mount the RedHat 7.9 ISO and copy the rpm files to the folder.

2)Run the below command to generate the SBOM.
#syft dir:/RPM_folder_path/ -o spdx-json=071724minimalos.spdx.json

3)Import the SBOM generated in the SBOM editor and check the supplier info against the package.

Regards
Naranthiran Duraisamy

[Naranthiran]

Hi Keith Zantow,

Were you able to reproduce the issue?

Please let me know if any inputs are required from my side..

Regards
Naranthiran Duraisamy