-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pick up CycloneDX BOM components from metadata as well #3092
Pick up CycloneDX BOM components from metadata as well #3092
Conversation
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
Hey @dervoeti , this looks like a good change but I'd mention two things:
|
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
25348c4
to
671684e
Compare
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
4f91340
to
390fc91
Compare
Thanks for the quick reply! I added an integration test with a handcrafted CycloneDX SBOM. Regarding the Syft generated |
Hi @dervoeti , Syft outputs appropriate component types for the metadata.component: For example:
or
I think this should could probably check for the CycloneDX component type being only those appropriate to create packages. My feeling looking at the list is, this would include: |
It looks like when Syft constructs the source object it is explicitly checking for |
…type Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
Yeah I think your list sounds reasonable, I implemented it that way now 🙂 For my use case only |
@@ -39,11 +39,32 @@ func ToSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) { | |||
} | |||
|
|||
func collectBomPackages(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]interface{}) error { | |||
if bom.Components == nil { | |||
components := []cyclonedx.Component{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this change could be simplified to just adding this block:
if bom.Metadata.Component != nil
collectPackages(bom.Metadata.Component, s, idMap)
}
... and in the collectPackages
, we should be recursively adding sub-components, and checking for the type being one of the right types, which it looks like it's doing already
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I should have looked at exactly what the code was doing there before sending you down a path to implement an unnecessary thing 🤦
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries, I also didn't see the logic was already present. Good thing you spotted it, I refactored it, the change is much simpler now 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may have missed suggesting a bom.Metadata != nil
bit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah right, fixed
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
…omponents-from-metadata
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution, @dervoeti !
I'm building a docker image containing multiple Java applications. For those applications, I generate CycloneDX SBOMs at build time using cyclonedx-maven-plugin, which are placed in the docker image alongside the applications.
cyclonedx-maven-plugin stores the application component itself (e.g.
my-java-app@1.2.3
) inside the.metadata.component
attribute of the SBOM. It does not provide it again in the.components
attribute of the SBOM. This seems to be correct.When I scan the image using Syft, the sbom-cataloger picks up the SBOMs of the Java applications, but it does not recognize the component in
.metadata.component
. So the main component and its direct dependency relations to sub-components are lost in the SBOM Syft produces for the image.This PR fixes that by collecting
.metadata.component
as a package as well, additionally to.components
. I tested this for my use case and it provided the expected result.I'm not an expert on CycloneDX or Syft, so I have no idea whether this is an idiomatic way of implementing it or it has any side effects, hence I made this a draft PR. As mentioned, it works fine for my use case.