nscuro
commented
2 months ago Can you share the entire BOM please, and also the command you used to generate it?
Looks like it's picking Grafana's own version instead of xorm's for whatever reason.
Closed shusriva closed 1 month ago
nscuro
commented
2 months ago Can you share the entire BOM please, and also the command you used to generate it?
Looks like it's picking Grafana's own version instead of xorm's for whatever reason.
shusriva
commented
2 months ago Command to generate BOM: cyclonedx-gomod mod -assert-licenses -json -licenses -output plain-sbom.json .
Entire SBOM:
sbom.json
nscuro
commented
2 months ago So the "problem" is that Grafana is replace-ing xorm with a local copy in their own repository: https://github.com/grafana/grafana/blob/1e84fede543acc892d2a2515187e545eb047f237/go.mod#L491-L496
There is no way for us to tell the "correct" version of their xorm copy, hence it's inheriting Grafana's own version.
shusriva
commented
1 month ago Thank you for the information @nscuro .
I guess the grafana has some special use case. we have experience the same behavior for some other components of grafana as well.
Incorrect version are reported. but we will try to do some workaround from our end. Thank you for you support
Hi Team, Am currently working on hardening grafana image and I found one discrepancy in cyclonedx-gomod. I am using grafana version v10.2.3 and in that version one dependencies is used called xorm.io/xorm of version v0.8.2 (https://github.com/grafana/grafana/blob/1e84fede543acc892d2a2515187e545eb047f237/go.mod#L130)
When I run the go scanner on this source code, sbom gets generated but with the incorrect component version of xorm.io/xorm
As the version v10.2.3 doesn't exist for xorm.io, so I can't submit sbom for further processing.