Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to detect format of CycloneDX XML SBOM with no components #1005

Closed
ghost opened this issue Nov 17, 2022 · 1 comment · Fixed by anchore/syft#1873
Closed

Failed to detect format of CycloneDX XML SBOM with no components #1005

ghost opened this issue Nov 17, 2022 · 1 comment · Fixed by anchore/syft#1873
Labels
bug Something isn't working good-first-issue Good for newcomers

Comments

@ghost
Copy link

ghost commented Nov 17, 2022
edited by ghost
Loading

./syft -o cyclonedx registry:gcr.io/google_containers/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f

This produces a valid CycloneDX XML SBOM:

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:c37eab0d-ffc4-437e-9e16-2045dd4a063d" version="1">
  <metadata>
    <timestamp>2022-11-17T10:04:45Z</timestamp>
    <tools>
      <tool>
        <vendor>anchore</vendor>
        <name>syft</name>
        <version>0.60.3</version>
      </tool>
    </tools>
    <component bom-ref="ac8346f37ef2bf4" type="container">
      <name>gcr.io/google_containers/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f</name>
      <version>sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108</version>
    </component>
  </metadata>
  <components></components>
</bom>

Passing this into grype results in an error:

1 error occurred:
        * failed to catalog: unable to decode sbom: unable to identify format

This should work correctly, and switching to cyclonedx-json for the same image works.

The root cause appears to be the code here: https://github.com/anchore/syft/blob/main/syft/formats/common/cyclonedxhelpers/decoder.go#L26
checking to see if bom.Components == nil. It might be a bug in cyclonedx-go producing inconsistent behaviour between XML and JSON.

$ ./syft version
Application:        syft
Version:            0.60.3
JsonSchemaVersion:  4.1.0
BuildDate:          2022-11-03T15:11:54Z
GitCommit:          bc9740d50a38e9660f2f98ed91d84c6d8799cf70
GitDescription:     v0.60.3
Platform:           darwin/amd64
GoVersion:          go1.18.7
Compiler:           gc

 $ ./grype version
Application:          grype
Version:              0.52.0
Syft Version:         v0.60.3
BuildDate:            2022-11-03T17:15:32Z
GitCommit:            c8ddd7e218f63eb3adac1ec98ba9d8db9f3f3fec
GitDescription:       v0.52.0
Platform:             darwin/amd64
GoVersion:            go1.18.7
Compiler:             gc
Supported DB Schema:  5
@ghost ghost added the bug Something isn't working label Nov 17, 2022
@spiffcs spiffcs transferred this issue from anchore/syft Nov 21, 2022
@spiffcs spiffcs added the good-first-issue Good for newcomers label Nov 21, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Nov 21, 2022

👋 Thanks @sambetts-cisco --> I've transferred this issue over to grype. It looks like the cyclonedx-xml output by syft is correct. When we have a second we will investigate and see if we can submit a patch here.

@spiffcs spiffcs moved this to Parking Lot (Comments or Progress) in OSS Nov 21, 2022
@tgerla tgerla removed the status in OSS May 4, 2023
@spiffcs spiffcs moved this to Backlog in OSS May 18, 2023
@jneate jneate mentioned this issue Jun 11, 2023
Merged
@github-project-automation github-project-automation bot moved this from Backlog to Done in OSS Jul 11, 2023
@p-linnane p-linnane mentioned this issue Jul 13, 2023
Merged
This was referenced Jul 14, 2023
Closed
Closed
@dependabot dependabot bot mentioned this issue Jul 21, 2023
Closed
@dependabot dependabot bot mentioned this issue Jul 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good-first-issue Good for newcomers
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: allow valid cyclonedx input with no components jneate/syft
1 participant
@spiffcs