Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CycloneDX SBOM missing numerous identified components #588

Closed
n0x08 opened this issue Apr 17, 2023 · 1 comment · Fixed by #589
Closed

CycloneDX SBOM missing numerous identified components #588

n0x08 opened this issue Apr 17, 2023 · 1 comment · Fixed by #589
Assignees
@m-1-k-3
Labels
bug Something isn't working in progress Someone is working on this

Comments

@n0x08
Copy link

n0x08 commented Apr 17, 2023
edited
Loading

Describe the bug
The CycloneDX SBOM file does not contain all identified components with their respective versions.

To Reproduce
Steps to reproduce the behavior:

  1. EMBA installation: default mode + git pull on April 11th 2023
  2. Use the firmware available here: https://share.netmodule.com/public/system-software/4.6/4.6.0.104/NB3800_Software_Release_4.6.0.104.img
  3. Start EMBA with the following parameters: sudo ./emba.sh ~/NB3800_Software_Release_4.6.0.104.img -l ~/NB3800_Software_Release_4.6.0.104 -p ./scan-profiles/default-scan.emba
  4. View HTML report
  5. Compare the list of "Identified software components - via usermode emulation." to what is in "CycloneDX SBOM converter" and you will see many components are missing.

Expected behavior
I would expect that all components with an identified version would be listed in the SBOM

Screenshots
Identified components:
image

CycloneDX file (notice bgpd is missing; this is just one example)
image

Desktop (please complete the following information):

  • OS: Ubuntu 22.04
  • EMBA version: v1.2.2 or current master branch
  • Installation method: default with up to date docker image

Priority issue
Are you already a Sponsor? - [Y/N]

Additional context
Add any other context about the problem here.
@m-1-k-3 m-1-k-3 added the bug Something isn't working label Apr 17, 2023
@m-1-k-3 m-1-k-3 self-assigned this Apr 17, 2023
@m-1-k-3
Copy link
Member

m-1-k-3 commented Apr 18, 2023

looks like f20 is only reporting software components with vulnerabilities to csv. This results in missing components in the sbom.

@m-1-k-3 m-1-k-3 added the in progress Someone is working on this label Apr 18, 2023
@m-1-k-3 m-1-k-3 mentioned this issue Apr 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@m-1-k-3 m-1-k-3

Labels
bug Something isn't working in progress Someone is working on this
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SBOM generation fix for non vuln components m-1-k-3/emba
2 participants
@m-1-k-3 @n0x08