Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid package url type: dotnet #1622

Closed
felickz opened this issue Feb 24, 2023 · 3 comments · Fixed by #1649
Closed

invalid package url type: dotnet #1622

felickz opened this issue Feb 24, 2023 · 3 comments · Fixed by #1649
Assignees
Labels
bug Something isn't working

Comments

@felickz
Copy link

felickz commented Feb 24, 2023

Testing out capabilities on a small .NET test repo. The detector is finding a deps.json and reporting package type as dotnet ... should be nuget?

Config

      - uses: anchore/sbom-action@v0
        if: runner.os != 'Windows'
        with:
          path: .
          dependency-snapshot: true

Logs showing the errror:

  "data": {
    "message": "invalid package url: in manifest \"ProCodeGuide.Samples.Automapper/bin/Debug/netcoreapp3.1/ProCodeGuide.Samples.Automapper.deps.json\" decoding \"pkg:dotnet/[email protected]\": invalid package url type: dotnet",
    "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository"
  }
@kzantow
Copy link
Contributor

kzantow commented Feb 24, 2023

Thanks for the report @felickz! I'm moving this to the Syft project, as that is where PURLs get generated.

@kzantow kzantow transferred this issue from anchore/sbom-action Feb 24, 2023
@xopham
Copy link

xopham commented Feb 28, 2023

@felickz @kzantow I believe that we are experiencing the same / a very similar issue. Running anchore/sbom action with dependency submission via dependency-snapshot: true as a reusable job:

  dependency-submission:
    name: syft / dependency review
    runs-on: ubuntu-latest
    permissions:
      packages: read
      contents: write
    steps:
    - name: Login with registry
      if: inputs.registry != ''
      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
      with:
        registry: ${{ inputs.registry }}
        username: ${{ inputs.repo_owner }}
        password: ${{ inputs.repo_token }}
    - name: Run
      uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
      with:
        image: ${{ inputs.image }}
        format: cyclonedx-json
        dependency-snapshot: true

This fails with: "invalid package url: in manifest \"docker.io/securesystemsengineering/connaisseur:v2.8.0:/bin/busybox\" decoding \"\": scheme is missing"

Complete log ```bash Error uploading depdendency snapshot: { "url": "https://api.github.com/repos/xopham/connaisseur/dependency-graph/snapshots", "status": 422, "headers": { "access-control-allow-origin": "*", "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset", "connection": "close", "content-length": "279", "content-security-policy": "default-src 'none'", "content-type": "application/json; charset=utf-8", "date": "Mon, 27 Feb 2023 23:13:49 GMT", "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin", "server": "GitHub.com", "strict-transport-security": "max-age=31536000; includeSubdomains; preload", "vary": "Accept-Encoding, Accept, X-Requested-With", "x-content-type-options": "nosniff", "x-frame-options": "deny", "x-github-api-version-selected": "2022-11-28", "x-github-media-type": "github.v3; format=json", "x-github-request-id": "4410:2CE3:6E44F35:E35EE2B:63FD392D", "x-ratelimit-limit": "100", "x-ratelimit-remaining": "99", "x-ratelimit-reset": "1677539689", "x-ratelimit-resource": "dependency_snapshots", "x-ratelimit-used": "1", "x-xss-protection": "0" }, "data": { "message": "invalid package url: in manifest \"docker.io/securesystemsengineering/connaisseur:v2.8.0:/bin/busybox\" decoding \"\": scheme is missing", "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository" } } ```

Great work by the way! Really enjoying the new anchore tooling 🚀

@jain-ranjith
Copy link

We are exploring using Syft along with the Dependency track on a dotnet project. For the package URL "pkg:dotnet/xxxxxx ", the dependency tracker does not show any results.
If I correct the package URL to "pkg:nuget/xxxxxx" the dependency tracker lists associated vulnerabilities.

It seems Syft generated SBOMS are having wrong package URL "pkg:dotnet/xxxxxx " instead of "pkg:nuget/xxxxxx" .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

4 participants