search

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
https://retirejs.github.io/retire.js/
Other
3.6k stars 412 forks source link

Invalid CycloneDX output #397

Closed bretik closed 1 year ago

bretik commented 1 year ago

Retire.js version: (retire --version): 3.2.1

node version: (node --version): v18.13.0

Type: Bug

Description: Using following command, Retire.js generates invalid CycloneDX SBOM: retire --exitwith 0 --verbose --outputformat cyclonedxJSON --js --jspath jquery --outputpath sbom/sbom-jquery.json

The components array is "duplicated":

  "components": [
    [
      { ... }
    ]
  ]

Using JSON schema validator results in error: image

https://www.jsonschemavalidator.net/s/nWflHPw8

Expected behaviour: SBOM will be valid against the schema

Workaround The output can be fixed using jq: cat sbom.json | jq ".components = .components[0]" > sbom-fixed.json

eoftedal commented 1 year ago

Hmm. The test must be broken then. Will have a look. Thanks.

bretik commented 1 year ago

Yeah, I had time to look in the test and it looks like it does not add any components to the output, so it tests only empty array of identified libraries which is valid.

using .flat() on the components in cyclonedx-json.js might solve the issue, but there is another one - if the condition for already seen component is true, than empty string is added to the array instead of not adding anything (if (seen[purl]) return "";), so it needs to be filtered out too.

eoftedal commented 1 year ago

Thanks, that '' was a copy/past bug from the XML output. I really should rewrite to TypeScript at some point...

eoftedal commented 1 year ago

Fixed the bug in the test as well, and it's now passing with components in it.