search

KAWAHARA-souta / alma-sbom

AlmaLinux OS SBOM data management utility.
GNU General Public License v3.0
0 stars 0 forks source link

libstdc++のSPDXのSBOMが作成できない #10

Open kawaharasouta opened 3 months ago

kawaharasouta commented 3 months ago

下記のとおりのエラーが発生する. cyclonedxだと発生しない.

$ python alma_sbom.py --output-file dust --rpm-package-hash 7067dbd995e1cbfa352dc9dc565adcfa4dac252b85f02e0ee47661f7a6d219fd --file-format spdx-json
Traceback (most recent call last):
  File "/home/khwarizmi/work/alma-sbom/alma_sbom.py", line 704, in <module>
    cli_main()
  File "/home/khwarizmi/work/alma-sbom/alma_sbom.py", line 700, in cli_main
    sbom_formatter.run()
  File "/home/khwarizmi/work/alma-sbom/libsbom/spdx.py", line 276, in run
    writer.write_document_to_file(
  File "/home/khwarizmi/work/alma-sbom/env/lib64/python3.9/site-packages/spdx_tools/spdx/writer/json/json_writer.py", line 38, in write_document_to_file
    write_document_to_stream(document, out, validate, converter, drop_duplicates)
  File "/home/khwarizmi/work/alma-sbom/env/lib64/python3.9/site-packages/spdx_tools/spdx/writer/json/json_writer.py", line 25, in write_document_to_stream
    document = validate_and_deduplicate(document, validate, drop_duplicates)
  File "/home/khwarizmi/work/alma-sbom/env/lib64/python3.9/site-packages/spdx_tools/spdx/writer/write_utils.py", line 17, in validate_and_deduplicate
    raise ValueError(f"Document is not valid. The following errors were detected: {validation_messages}")
ValueError: Document is not valid. The following errors were detected: [ValidationMessage(validation_message='externalPackageRef locator of type "cpe23Type" must conform with the regex ^cpe:2
\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#$$%&\\\'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[
\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#$$%&\\\'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|}~]))+(\\?*|\\*?))|[\\*\\-])){4}$, but is: cpe:2.3:a:almalinux:libstdc++:0\\:11.3.1-4
.3.el9.alma:*:*:*:*:*:*:*', context=ValidationContext(spdx_id=None, parent_id='SPDXRef-0', element_type=<SpdxElementType.EXTERNAL_PACKAGE_REF: 5>, full_element=ExternalPackageRef(category=<Ex
ternalPackageRefCategory.SECURITY: 1>, reference_type='cpe23Type', locator='cpe:2.3:a:almalinux:libstdc++:0\\:11.3.1-4.3.el9.alma:*:*:*:*:*:*:*', comment=None)))]
$ python alma_sbom.py --output-file dust --rpm-package-hash 7067dbd995e1cbfa352dc9dc565adcfa4dac252b85f02e0ee47661f7a6d219fd --file-format cyclonedx-jso
n
/home/khwarizmi/work/alma-sbom/env/lib64/python3.9/site-packages/cyclonedx/model/bom.py:401: UserWarning: The Component this BOM is describing (PURL=pkg:rpm/almalinux/libstdc%2B%2B@11.3.1-4.3
.el9.alma?arch=i686&epoch=0&upstream=gcc-11.3.1-4.3.el9.alma.src.rpm) has no defined dependencies which means the Dependency Graph is incomplete - you should add direct dependencies to this C
omponent to complete the Dependency Graph data.
  warnings.warn(

spdx_toolsでSPDX文書を出力するときのvalidateチェックに引っかかっているよう.cpeが不正.

軽く調べてみたがおそらく,"libstdc++" の 「+」がいけない気がする. エスケープするとかなにか対処が必要なのかも.

通常のディストリビューションでlibstdc++を指すcpeはどんな感じになっているのかも調べたい.

kawaharasouta commented 3 months ago

上の想定はおおよそあってた. 次のようなパッチでとりあえずはlibstdc++のSBOMも作成できるようになる.

$ git diff  
diff --git a/libsbom/common.py b/libsbom/common.py 
index 74d03fa..c3dc444 100644
--- a/libsbom/common.py
+++ b/libsbom/common.py
@@ -41,6 +41,7 @@ def normalize_epoch_in_cpe(cpe: str) -> str:
     patterns = {
         ':None\\:':   ':0\\:',
         ':(none)\\:': ':0\\:',
+        '+': '\\+',
     }

     return replace_patterns(input_str=cpe,
kawaharasouta commented 2 months ago

以下のコミットで修正している https://github.com/kawaharasouta/alma-sbom/commit/01215ef599a3b0227bf8166130862705ce6fbfcc

※ブランチは https://github.com/kawaharasouta/alma-sbom/tree/fix_incomplete_metadata