Closed mtcolman closed 9 months ago
Hi, after further testing with output.sarif
file I've found this:
python3.10/site-packages/cyclonedx/model/bom.py", line 535, in register_dependency
ref=target.bom_ref,
AttributeError: 'NoneType' object has no attribute 'bom_ref'
Is related to not having versionControlProvenance
in the output.sarif
file - I'm not sure how to get this in the file though?
Relevent code items are: main.py
def _read_file(query_file, exclusion_pattern=None):
with open(query_file) as query_output:
query_output = json.load(query_output)['runs'][0]
if file_count < 2:
if version_control_details := query_output.get('versionControlProvenance'):
root_component = metadata.get_root_component_info(version_control_details=version_control_details[0])
cbom.metadata.component = root_component
for tool in metadata.get_tool_info(tool_info=query_output['tool']):
cbom.metadata.tools.add(tool)
metadata.py
def get_root_component_info(version_control_details):
path = version_control_details['repositoryUri'].split('https://github.com/')[1]
external_reference = ExternalReference(url=version_control_details['repositoryUri'], type=ExternalReferenceType.SCM)
return Component(
bom_ref=path,
name=path.split('/')[-1],
type=ComponentType.APPLICATION,
external_references=[external_reference]
Which means that when if not (existing_component
occurs, the cbom.metadata.component
is None
for the call to cbom.register_dependency
which then results in the error.)
algorithm.py
def parse_algorithm(cbom, codeql_result):
crypto_properties = _generate_crypto_component(codeql_result)
if (padding := crypto_properties.algorithm_properties.padding) not in [Padding.OTHER, Padding.UNKNOWN]:
name = f'{crypto_properties.algorithm_properties.variant}-{padding.value.upper()}'
else:
name = crypto_properties.algorithm_properties.variant
algorithm_component = Component(
bom_ref=f'cryptography:algorithm:{uuid.uuid4()}',
name=name,
type=ComponentType.CRYPTO_ASSET,
crypto_properties=crypto_properties
)
if not (existing_component := _is_existing_component_overlap(cbom, algorithm_component)):
cbom.components.add(algorithm_component)
cbom.register_dependency(cbom.metadata.component, depends_on=[algorithm_component])
else:
algorithm_component = _update_existing_component(existing_component, algorithm_component)
Hi,
The input needs to be in SARIF, and it can be either a single file or split between several. It's intended to parse the output from queries for identifying crypto assets. The Python ones for example can be seen here, or for instructions on using them with GitHub Actions, look at this.
The code snippets are used to gather additional information about crypto assets when adding them to the CBOM, so yeah, you should be using --sarif-add-snippets
.
The expected format of the input SARIF has so far been based on some sample output from the queries that has always included this information, but it looks like versionControlProvenance
is not a standard key according to this.
I've now updated it accordingly so that the application name, which is a required a field when generating a root component, can optionally be passed in via --application-name
, or if not, a default component will be created with the name root
. Try again with version 1.0.1.
Thanks!
Thank you. I've tried 1.0.1 and was able to use an output.sarif
file that did not contain versionControlProvenance
.
Hello, more of a query than an issue. The instructions say:
But I'm unsure what this equates to? A
.sarif
file ,.bqrs
file? And does a particular query have to have been run to form it?I've tried running with
.sarif
files but get:my
.sarif
file is sarif-2.1.0:I've then rerun my
.sarif
file generation and included the flag--sarif-add-snippets
and then run the command again:And on a directory containing
.bqrs
files and I get the following which looks rather empty:Thanks in advance.