Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

compitibility with cyclonedx-maven-plugin:2.8.1 #227

Closed
ZheSun88 opened this issue Aug 5, 2024 · 4 comments
Closed

compitibility with cyclonedx-maven-plugin:2.8.1 #227

ZheSun88 opened this issue Aug 5, 2024 · 4 comments
Labels
invalid This doesn't seem right
Milestone
0.5.0

Comments

@ZheSun88
Copy link

ZheSun88 commented Aug 5, 2024
edited
Loading

It seems bomber is not compatible with the json generated from cyclonedx-maven-plugin:2.8.1

in the new cyclonedx plugin, they have removed the deprecated feature of the CycloneDX schema, and now i am getting an error when run bomber scan with the new json file, while works fine with json generated from cyclonedx-maven-plugin:2.8.0

2024/08/05 09:31:32 Reading: bom-vaadin.json
2024/08/05 09:31:32 Detected CycloneDX JSON
■ No packages were detected. Nothing has been scanned.
2024/08/05 09:31:32 Finished

cyclonedx-maven-plugin:2.8.1
image

cyclonedx-maven-plugin:2.8.0
image
@djschleen
Copy link
Member

@ZheSun88 can you provide a full SBOM or a snippet of the components section for us to test with?

@ZheSun88
Copy link
Author

ZheSun88 commented Aug 5, 2024
edited
Loading

hi @djschleen
here is one example, with cyclonedx-maven-plugin:2.8.1

"tools": {
      "components": [
        {
          "author": "OWASP Foundation",
          "group": "org.cyclonedx",
          "name": "cyclonedx-maven-plugin",
          "version": "2.8.1",
          "description": "CycloneDX Maven plugin",
          "hashes": [
            {
              "alg": "MD5",
              "content": "42c73e70d517b359d40b757c368d68fc"
            },
            {
              "alg": "SHA-1",
              "content": "c66892e13fb7ed7b8105cb5a280fa767d9e0bf12"
            },
            {
              "alg": "SHA-256",
              "content": "566681b9fcb1b0178e101cd899d2ea399e2039255e208a1a477bc079158dbdc5"
            },
            {
              "alg": "SHA-512",
              "content": "93d7b7421ee2d91f84930e75a52864952f26fee96114740dab477ee5f0e62b6448759ad5a160f1749650379f771941100c7fd84ed523b2407d2004b928998ecb"
            },
            {
              "alg": "SHA-384",
              "content": "04b0c71c1b79f77e723e7db96c72705f50172e94df5a7f28edbd96024b886fff65f61f37fc77abb1d12b0809813ae665"
            },
            {
              "alg": "SHA3-384",
              "content": "eafa68c2c25670f0b77c5db3acdfd97cfe97dfc50c47bba2103353327b049b9bbac0d8b621b1168200ddf21719048c73"
            },
            {
              "alg": "SHA3-256",
              "content": "2c07b6997ba0e40ca3b66e39cfcf101fcebdceaa19fce0baf12e013cf392466e"
            },
            {
              "alg": "SHA3-512",
              "content": "636f068843bad92259885cd4d427630619864c0172bd1b41df15c33a7d411767ab09cf2ff339a97fda149ee44c95a162fdf6cb12de19e2dc0250c2fadc80d882"
            }
          ],
          "type": "library"
        }
      ]
    },

while with cyclonedx-maven-plugin: 2.8.0, it seems there is no components section

    "tools": [
      {
        "vendor": "OWASP Foundation",
        "name": "CycloneDX Maven plugin",
        "version": "2.8.0",
        "hashes": [
          {
            "alg": "MD5",
            "content": "76ffec6a7ddd46b2b24517411874eb99"
          },
          {
            "alg": "SHA-1",
            "content": "5b0d5b41975b53be4799b9621b4af0cfc41d44b6"
          },
          {
            "alg": "SHA-256",
            "content": "6852aa0f4e42a2db745bab80e384951a6a65b9215d041081d675780999027e81"
          },
          {
            "alg": "SHA-512",
            "content": "417de20fcdcb11c9713bacbd57290d8e68037fdb4553fd31b8cb08bd760ad52dc65ea88ad4be15844ad3fd5a4d3e440d2f70326f2fe1e63ec78e059c9a883f8d"
          },
          {
            "alg": "SHA-384",
            "content": "5eb755c6492e7a7385fa9a1e1f4517875bcb834b2df437808a37a2d6f5285df428741762305980315a63fcef1406597d"
          },
          {
            "alg": "SHA3-384",
            "content": "0fe16a47cf7aab0b22251dafcc39939b68e8f1778093309d8d2060b51a08df445a8b8ed5a9561669faf2e55f907c76d8"
          },
          {
            "alg": "SHA3-256",
            "content": "3e5a1eb5ab7d0797498862794709ff8eaaa071fe4cc9ec77f52db7e2f97ef487"
          },
          {
            "alg": "SHA3-512",
            "content": "59281a3e29e76270d7f44b40b5b9f05e55f1ae3ec716d80add806f360940809e3813998ac7c5758043b8e248aed73b86e37dc506cdb4cde03c16bb617d8e5a3a"
          }
        ]
      }
    ],

also attach a full json here.
bom-2.8.0.json
bom-2.8.1.json

@djschleen
Copy link
Member

I ran both of your attached files with bomber 0.5.0 (will be released shortly) and have not reproduced any issue.
image
image
If there is no component section in an SBOM, nothing can be scanned because no PURLs will be found. the only thing bomber will use out of any SBOM is that PURL, and license info. Any other fields like name, description, version, etc. are not used.

@djschleen djschleen added this to the 0.5.0 milestone Aug 15, 2024
@djschleen djschleen added the invalid This doesn't seem right label Aug 15, 2024
@ZheSun88
Copy link
Author

oh, Thanks for the checking. It seems we used version 0.4.7. the failure doesn't come after i have upgraded Bomber to 0.5.0.

thanks again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Milestone
0.5.0
Development

No branches or pull requests
2 participants
@ZheSun88 @djschleen