Decoding of sparse CycloneDX does not set language #953
Labels
bug
Something isn't working
Comments
jonmcewen
added a commit
to jonmcewen/syft
that referenced
this issue
Apr 13, 2022
Signed-off-by: Jon McEwen <jon_mcewen@hotmail.com>
jonmcewen
added a commit
to jonmcewen/syft
that referenced
this issue
Apr 13, 2022
Signed-off-by: Jon McEwen <jon_mcewen@hotmail.com>
This was referenced Apr 13, 2022
spiffcs
added a commit
that referenced
this issue
May 2, 2022
* main: (31 commits) reduce noise of log output (#976) add version info and remove double config call (#977) Rename syft-id to package-id (#970) update to cyclonedx-go 0.5.2 (#971) refactor command package to remove globals and add dependency injection fix: #953 Derive language from pURL - https://github.com/anchore/syft… (#957) Fix typo in CPE-parsing error (#966) Preserve syft IDs on SBOM decode (#963) Update GitHub format package_url and correlator (#961) Ensure SPDXIDs are valid (#955) Auto-PR needs to run go mod tidy (#958) Add workflow for automatic PR for new stereoscope updates (#954) Minor readme update to correct format information (#948) Update spdx22json to only take uppercase checksum algorithm (#946) add additional vendors for springframework (#945) Add digest property to parent and nested java package metadata (#941) Update write permissions and log into ghcr.io for release (#942) Retry auth URL lookup without docker credentialhelper workaround (#939) Ensure that all cyclonedx components have bom-refs (#914) Additionally publish docker images to GHCR (#934) ... Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
rigzba21
pushed a commit
to rigzba21/syft
that referenced
this issue
May 5, 2022
…re/syft… (anchore#957) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Signed-off-by: rigzba21 <jonathan.velando01@gmail.com>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this issue
Feb 19, 2024
…re/syft… (anchore#957) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
When using grype to check a CycloneDX SBOM not produced by syft, Java vulnerabilities were not detected.
What you expected to happen:
Vulnerabilities should be found by language when there is no CPE and no syft metadata
How to reproduce it (as minimally and precisely as possible):
Using a CycloneDX SBOM with minimal component info and known CVEs such as:
{ "name" : "log4j-core", "version" : "2.13.3", "purl" : "pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3?type=jar", "type" : "library", "bom-ref" : "pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3?type=jar" },Running grype will not find any CVEs.
Anything else we need to know?:
PR coming shortly...
Environment:
syft version: v0.42.4cat /etc/os-releaseor similar): anyThe text was updated successfully, but these errors were encountered: