-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
invalid package url type: dotnet #1622
Comments
Thanks for the report @felickz! I'm moving this to the Syft project, as that is where PURLs get generated. |
@felickz @kzantow I believe that we are experiencing the same / a very similar issue. Running anchore/sbom action with dependency submission via dependency-submission:
name: syft / dependency review
runs-on: ubuntu-latest
permissions:
packages: read
contents: write
steps:
- name: Login with registry
if: inputs.registry != ''
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.repo_owner }}
password: ${{ inputs.repo_token }}
- name: Run
uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
with:
image: ${{ inputs.image }}
format: cyclonedx-json
dependency-snapshot: true This fails with: Complete log```bash Error uploading depdendency snapshot: { "url": "https://api.github.com/repos/xopham/connaisseur/dependency-graph/snapshots", "status": 422, "headers": { "access-control-allow-origin": "*", "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset", "connection": "close", "content-length": "279", "content-security-policy": "default-src 'none'", "content-type": "application/json; charset=utf-8", "date": "Mon, 27 Feb 2023 23:13:49 GMT", "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin", "server": "GitHub.com", "strict-transport-security": "max-age=31536000; includeSubdomains; preload", "vary": "Accept-Encoding, Accept, X-Requested-With", "x-content-type-options": "nosniff", "x-frame-options": "deny", "x-github-api-version-selected": "2022-11-28", "x-github-media-type": "github.v3; format=json", "x-github-request-id": "4410:2CE3:6E44F35:E35EE2B:63FD392D", "x-ratelimit-limit": "100", "x-ratelimit-remaining": "99", "x-ratelimit-reset": "1677539689", "x-ratelimit-resource": "dependency_snapshots", "x-ratelimit-used": "1", "x-xss-protection": "0" }, "data": { "message": "invalid package url: in manifest \"docker.io/securesystemsengineering/connaisseur:v2.8.0:/bin/busybox\" decoding \"\": scheme is missing", "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository" } } ```Great work by the way! Really enjoying the new anchore tooling 🚀 |
We are exploring using Syft along with the Dependency track on a dotnet project. For the package URL "pkg:dotnet/xxxxxx ", the dependency tracker does not show any results. It seems Syft generated SBOMS are having wrong package URL "pkg:dotnet/xxxxxx " instead of "pkg:nuget/xxxxxx" . |
Testing out capabilities on a small .NET test repo. The detector is finding a
deps.json
and reporting package type asdotnet
... should benuget
?Config
Logs showing the errror:
The text was updated successfully, but these errors were encountered: