Missing metadata in syft-json artifacts crashes grype

[ghost]

When using syft to output cyclonedx format, component properties for syft:metadata are excluded if those properties are default values (like empty string for a string), however syft:metadatatype is populated.

Using syft to convert this to syft-json results in a syft-json SBOM with the metadatatype field populated but missing the metadata field. Using this syft-json in grype results in an error:

unable to decode syft-json: unexpected end of JSON input

Root cause is the code here: https://github.com/anchore/syft/blob/v0.60.2/syft/formats/syftjson/model/package.go#L81 that expects Metadata to always be at least "{}".

You can recreate this error by removing the "metadata" field from an artifact with metadata in an otherwise valid syft-json SBOM.

I think there are a couple issues here:

1. syft-json decoder should handle a missing metadata field either with a better error message or simply skipping the Unmarshal leaving the Metadata as an empty struct of the correct type.

   Fixing this would ensure that grype doesn't crash when given an input with missing info.

2. cyclonedx decoder should ensure that when the cyclonedx is decoded into the SBOM and there is no metadata properties, but there is a MetadataType propertie, the Package's Metadata is still set to an empty struct of the correct type.

   Fixing this would ensure that converting a cyclonedx SBOM to syft-json when there is data missing or not included, results in all the expected data in the syft-json SBOM.

Environment:

./syft version
Application:        syft
Version:            0.60.3
JsonSchemaVersion:  4.1.0
BuildDate:          2022-11-03T15:11:54Z
GitCommit:          bc9740d50a38e9660f2f98ed91d84c6d8799cf70
GitDescription:     v0.60.3
Platform:           linux/amd64
GoVersion:          go1.18.7
Compiler:           gc

./grype version
Application:          grype
Version:              0.52.0
Syft Version:         v0.60.3
BuildDate:            2022-11-03T17:15:32Z
GitCommit:            c8ddd7e218f63eb3adac1ec98ba9d8db9f3f3fec
GitDescription:       v0.52.0
Platform:             linux/amd64
GoVersion:            go1.18.7
Compiler:             gc
Supported DB Schema:  5

# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

[kzantow]

Good catch @sambetts-cisco! Thanks for the detailed write-up, we should be able to get this taken care of pretty quickly.

[kzantow]

Hi @sambetts-cisco -- do you happen to have a specific example of an image scan that would show this behavior?

[FrimIdan]

Hi @sambetts-cisco -- do you happen to have a specific example of an image scan that would show this behavior?

@kzantow docker.io/weaveworksdemos/front-end should show this behavior