Open metametadata opened 1 month ago
It looks like the significant difference between SBOMs is that cdxgen splits the name and group:
I see the similar problem with SBOMs generated from pnpm-lock.yaml
.
SBOM by cdxgen:
"group": "@colors",
"name": "colors",
"version": "1.5.0",
SBOM by Syft:
"name": "@colors/colors",
"version": "1.5.0",
This leads to a false positive https://github.com/advisories/GHSA-gh88-3pxp-6fm8 on scanning cdxgen's SBOM:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
colors 1.5.0 npm GHSA-gh88-3pxp-6fm8 High
What happened:
I'm working on detecting vulns in a PHP project and I get quite different results when scanning and I'm not sure if it's expected or there could be something to improve in Grype, Syft or cdxgen. I've created a minimal example to demonstrate the problem.
cdxgen + Grype:
Syft + Grype:
As we can see, completely different vulns are detected.
What you expected to happen:
Same results in two scenarios.
How to reproduce it (as minimally and precisely as possible):
PHP
composer.json
:composer.lock
generated viacomposer update --no-install
:Click me
``` { "_readme": [ "This file locks the dependencies of your project to a known state", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], "content-hash": "de1bd552949dd523bc63bbf9630f3ab5", "packages": [ { "name": "bower-asset/inputmask", "version": "5.0.9", "source": { "type": "git", "url": "https://github.com/RobinHerbots/Inputmask.git", "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/RobinHerbots/Inputmask/zipball/310a33557e2944daf86d5946a5e8c82b9118f8f7", "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7" }, "require": { "bower-asset/jquery": ">=1.7" }, "type": "bower-asset", "license": [ "http://opensource.org/licenses/mit-license.php" ] }, { "name": "bower-asset/jquery", "version": "3.7.1", "source": { "type": "git", "url": "https://github.com/jquery/jquery-dist.git", "reference": "fde1f76e2799dd877c176abde0ec836553246991" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/jquery/jquery-dist/zipball/fde1f76e2799dd877c176abde0ec836553246991", "reference": "fde1f76e2799dd877c176abde0ec836553246991" }, "type": "bower-asset", "license": [ "MIT" ] }, { "name": "bower-asset/punycode", "version": "v2.2.3", "source": { "type": "git", "url": "https://github.com/mathiasbynens/punycode.js.git", "reference": "46d412120e2feb868876769a9847790ba278c882" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/mathiasbynens/punycode.js/zipball/46d412120e2feb868876769a9847790ba278c882", "reference": "46d412120e2feb868876769a9847790ba278c882" }, "type": "bower-asset" }, { "name": "bower-asset/yii2-pjax", "version": "2.0.8", "source": { "type": "git", "url": "git@github.com:yiisoft/jquery-pjax.git", "reference": "a9298d57da63d14a950f1b94366a864bc62264fb" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/jquery-pjax/zipball/a9298d57da63d14a950f1b94366a864bc62264fb", "reference": "a9298d57da63d14a950f1b94366a864bc62264fb" }, "require": { "bower-asset/jquery": ">=1.8" }, "type": "bower-asset", "license": [ "MIT" ] }, { "name": "cebe/markdown", "version": "1.2.1", "source": { "type": "git", "url": "https://github.com/cebe/markdown.git", "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/cebe/markdown/zipball/9bac5e971dd391e2802dca5400bbeacbaea9eb86", "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86", "shasum": "" }, "require": { "lib-pcre": "*", "php": ">=5.4.0" }, "require-dev": { "cebe/indent": "*", "facebook/xhprof": "*@dev", "phpunit/phpunit": "4.1.*" }, "bin": [ "bin/markdown" ], "type": "library", "extra": { "branch-alias": { "dev-master": "1.2.x-dev" } }, "autoload": { "psr-4": { "cebe\\markdown\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "authors": [ { "name": "Carsten Brandt", "email": "mail@cebe.cc", "homepage": "http://cebe.cc/", "role": "Creator" } ], "description": "A super fast, highly extensible markdown parser for PHP", "homepage": "https://github.com/cebe/markdown#readme", "keywords": [ "extensible", "fast", "gfm", "markdown", "markdown-extra" ], "support": { "issues": "https://github.com/cebe/markdown/issues", "source": "https://github.com/cebe/markdown" }, "time": "2018-03-26T11:24:36+00:00" }, { "name": "ezyang/htmlpurifier", "version": "v4.17.0", "source": { "type": "git", "url": "https://github.com/ezyang/htmlpurifier.git", "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/bbc513d79acf6691fa9cf10f192c90dd2957f18c", "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c", "shasum": "" }, "require": { "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0" }, "require-dev": { "cerdic/css-tidy": "^1.7 || ^2.0", "simpletest/simpletest": "dev-master" }, "suggest": { "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.", "ext-bcmath": "Used for unit conversion and imagecrash protection", "ext-iconv": "Converts text to and from non-UTF-8 encodings", "ext-tidy": "Used for pretty-printing HTML" }, "type": "library", "autoload": { "files": [ "library/HTMLPurifier.composer.php" ], "psr-0": { "HTMLPurifier": "library/" }, "exclude-from-classmap": [ "/library/HTMLPurifier/Language/" ] }, "notification-url": "https://packagist.org/downloads/", "license": [ "LGPL-2.1-or-later" ], "authors": [ { "name": "Edward Z. Yang", "email": "admin@htmlpurifier.org", "homepage": "http://ezyang.com" } ], "description": "Standards compliant HTML filter written in PHP", "homepage": "http://htmlpurifier.org/", "keywords": [ "html" ], "support": { "issues": "https://github.com/ezyang/htmlpurifier/issues", "source": "https://github.com/ezyang/htmlpurifier/tree/v4.17.0" }, "time": "2023-11-17T15:01:25+00:00" }, { "name": "paragonie/random_compat", "version": "v9.99.100", "source": { "type": "git", "url": "https://github.com/paragonie/random_compat.git", "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a", "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a", "shasum": "" }, "require": { "php": ">= 7" }, "require-dev": { "phpunit/phpunit": "4.*|5.*", "vimeo/psalm": "^1" }, "suggest": { "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." }, "type": "library", "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "authors": [ { "name": "Paragon Initiative Enterprises", "email": "security@paragonie.com", "homepage": "https://paragonie.com" } ], "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", "keywords": [ "csprng", "polyfill", "pseudorandom", "random" ], "support": { "email": "info@paragonie.com", "issues": "https://github.com/paragonie/random_compat/issues", "source": "https://github.com/paragonie/random_compat" }, "time": "2020-10-15T08:29:30+00:00" }, { "name": "yiisoft/yii2", "version": "2.0.49.2", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-framework.git", "reference": "7d38bf7584acbe838a8d08e40e949b6393162441" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/yii2-framework/zipball/7d38bf7584acbe838a8d08e40e949b6393162441", "reference": "7d38bf7584acbe838a8d08e40e949b6393162441", "shasum": "" }, "require": { "bower-asset/inputmask": "~3.2.2 | ~3.3.5 | ~5.0.8 ", "bower-asset/jquery": "3.7.*@stable | 3.6.*@stable | 3.5.*@stable | 3.4.*@stable | 3.3.*@stable | 3.2.*@stable | 3.1.*@stable | 2.2.*@stable | 2.1.*@stable | 1.11.*@stable | 1.12.*@stable", "bower-asset/punycode": "1.3.* | 2.2.*", "bower-asset/yii2-pjax": "~2.0.1", "cebe/markdown": "~1.0.0 | ~1.1.0 | ~1.2.0", "ext-ctype": "*", "ext-mbstring": "*", "ezyang/htmlpurifier": "^4.6", "lib-pcre": "*", "paragonie/random_compat": ">=1", "php": ">=5.4.0", "yiisoft/yii2-composer": "~2.0.4" }, "bin": [ "yii" ], "type": "library", "extra": { "branch-alias": { "dev-master": "2.0.x-dev" } }, "autoload": { "psr-4": { "yii\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "BSD-3-Clause" ], "authors": [ { "name": "Qiang Xue", "email": "qiang.xue@gmail.com", "homepage": "https://www.yiiframework.com/", "role": "Founder and project lead" }, { "name": "Alexander Makarov", "email": "sam@rmcreative.ru", "homepage": "https://rmcreative.ru/", "role": "Core framework development" }, { "name": "Maurizio Domba", "homepage": "http://mdomba.info/", "role": "Core framework development" }, { "name": "Carsten Brandt", "email": "mail@cebe.cc", "homepage": "https://www.cebe.cc/", "role": "Core framework development" }, { "name": "Timur Ruziev", "email": "resurtm@gmail.com", "homepage": "http://resurtm.com/", "role": "Core framework development" }, { "name": "Paul Klimov", "email": "klimov.paul@gmail.com", "role": "Core framework development" }, { "name": "Dmitry Naumenko", "email": "d.naumenko.a@gmail.com", "role": "Core framework development" }, { "name": "Boudewijn Vahrmeijer", "email": "info@dynasource.eu", "homepage": "http://dynasource.eu", "role": "Core framework development" } ], "description": "Yii PHP Framework Version 2", "homepage": "https://www.yiiframework.com/", "keywords": [ "framework", "yii2" ], "support": { "forum": "https://forum.yiiframework.com/", "irc": "ircs://irc.libera.chat:6697/yii", "issues": "https://github.com/yiisoft/yii2/issues?state=open", "source": "https://github.com/yiisoft/yii2", "wiki": "https://www.yiiframework.com/wiki" }, "funding": [ { "url": "https://github.com/yiisoft", "type": "github" }, { "url": "https://opencollective.com/yiisoft", "type": "open_collective" }, { "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2", "type": "tidelift" } ], "time": "2023-10-12T15:46:26+00:00" }, { "name": "yiisoft/yii2-composer", "version": "2.0.10", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-composer.git", "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/yii2-composer/zipball/94bb3f66e779e2774f8776d6e1bdeab402940510", "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510", "shasum": "" }, "require": { "composer-plugin-api": "^1.0 | ^2.0" }, "require-dev": { "composer/composer": "^1.0 | ^2.0@dev", "phpunit/phpunit": "<7" }, "type": "composer-plugin", "extra": { "class": "yii\\composer\\Plugin", "branch-alias": { "dev-master": "2.0.x-dev" } }, "autoload": { "psr-4": { "yii\\composer\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "BSD-3-Clause" ], "authors": [ { "name": "Qiang Xue", "email": "qiang.xue@gmail.com" }, { "name": "Carsten Brandt", "email": "mail@cebe.cc" } ], "description": "The composer plugin for Yii extension installer", "keywords": [ "composer", "extension installer", "yii2" ], "support": { "forum": "http://www.yiiframework.com/forum/", "irc": "irc://irc.freenode.net/yii", "issues": "https://github.com/yiisoft/yii2-composer/issues", "source": "https://github.com/yiisoft/yii2-composer", "wiki": "http://www.yiiframework.com/wiki/" }, "funding": [ { "url": "https://github.com/yiisoft", "type": "github" }, { "url": "https://opencollective.com/yiisoft", "type": "open_collective" }, { "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2-composer", "type": "tidelift" } ], "time": "2020-06-24T00:04:01+00:00" } ], "packages-dev": [], "aliases": [], "minimum-stability": "stable", "stability-flags": [], "prefer-stable": false, "prefer-lowest": false, "platform": [], "platform-dev": [], "plugin-api-version": "2.6.0" } ```Commands to generate SBOMs:
Generarted
cdxgen.json
SBOM:Click me
```json { "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:f108f84c-51a3-4f75-84ae-27eaf31d1390", "version": 1, "metadata": { "timestamp": "2024-08-06T22:07:01Z", "tools": { "components": [ { "group": "@cyclonedx", "name": "cdxgen", "version": "10.8.1", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.8.1", "type": "application", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.8.1", "author": "OWASP Foundation", "publisher": "OWASP Foundation" } ] }, "authors": [ { "name": "OWASP Foundation" } ], "lifecycles": [ { "phase": "build" } ], "component": { "group": "example", "name": "php_sbom_issue", "type": "application", "version": "latest", "bom-ref": "pkg:composer/example/php_sbom_issue@latest", "purl": "pkg:composer/example/php_sbom_issue%40latest", "components": [ { "group": "", "name": "composer_issue", "version": "latest", "type": "application", "bom-ref": "pkg:gem/composer_issue@latest", "purl": "pkg:gem/composer_issue@latest" } ] }, "properties": [ { "name": "cdx:bom:componentTypes", "value": "composer" }, { "name": "cdx:bom:componentNamespaces", "value": "bower-asset\\ncebe\\nezyang\\nparagonie\\nyiisoft" } ] }, "components": [ { "group": "bower-asset", "name": "inputmask", "version": "5.0.9", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "http://opensource.org/licenses/mit-license.php" } } ], "purl": "pkg:composer/bower-asset/inputmask@5.0.9", "externalReferences": [ { "type": "vcs", "url": "https://github.com/RobinHerbots/Inputmask.git" } ], "type": "library", "bom-ref": "pkg:composer/bower-asset/inputmask@5.0.9", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "bower-asset", "name": "jquery", "version": "3.7.1", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "https://opensource.org/licenses/MIT" } } ], "purl": "pkg:composer/bower-asset/jquery@3.7.1", "externalReferences": [ { "type": "vcs", "url": "https://github.com/jquery/jquery-dist.git" } ], "type": "framework", "bom-ref": "pkg:composer/bower-asset/jquery@3.7.1", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "bower-asset", "name": "punycode", "version": "v2.2.3", "scope": "required", "purl": "pkg:composer/bower-asset/punycode@v2.2.3", "externalReferences": [ { "type": "vcs", "url": "https://github.com/mathiasbynens/punycode.js.git" } ], "type": "library", "bom-ref": "pkg:composer/bower-asset/punycode@v2.2.3", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "bower-asset", "name": "yii2-pjax", "version": "2.0.8", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "https://opensource.org/licenses/MIT" } } ], "purl": "pkg:composer/bower-asset/yii2-pjax@2.0.8", "type": "library", "bom-ref": "pkg:composer/bower-asset/yii2-pjax@2.0.8", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "cebe", "name": "markdown", "version": "1.2.1", "description": "A super fast, highly extensible markdown parser for PHP", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "https://opensource.org/licenses/MIT" } } ], "purl": "pkg:composer/cebe/markdown@1.2.1", "externalReferences": [ { "type": "vcs", "url": "https://github.com/cebe/markdown.git" } ], "type": "library", "bom-ref": "pkg:composer/cebe/markdown@1.2.1", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" }, { "name": "Namespaces", "value": "cebe\\markdown\\" } ] }, { "group": "ezyang", "name": "htmlpurifier", "version": "v4.17.0", "description": "Standards compliant HTML filter written in PHP", "scope": "required", "licenses": [ { "license": { "id": "LGPL-2.1-or-later", "url": "https://opensource.org/licenses/LGPL-2.1-or-later" } } ], "purl": "pkg:composer/ezyang/htmlpurifier@v4.17.0", "externalReferences": [ { "type": "vcs", "url": "https://github.com/ezyang/htmlpurifier.git" } ], "type": "library", "bom-ref": "pkg:composer/ezyang/htmlpurifier@v4.17.0", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" }, { "name": "Namespaces", "value": "HTMLPurifier" } ] }, { "group": "paragonie", "name": "random_compat", "version": "v9.99.100", "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "https://opensource.org/licenses/MIT" } } ], "purl": "pkg:composer/paragonie/random_compat@v9.99.100", "externalReferences": [ { "type": "vcs", "url": "https://github.com/paragonie/random_compat.git" } ], "type": "library", "bom-ref": "pkg:composer/paragonie/random_compat@v9.99.100", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "yiisoft", "name": "yii2", "version": "2.0.49.2", "description": "Yii PHP Framework Version 2", "scope": "required", "licenses": [ { "license": { "id": "BSD-3-Clause", "url": "https://opensource.org/licenses/BSD-3-Clause" } } ], "purl": "pkg:composer/yiisoft/yii2@2.0.49.2", "externalReferences": [ { "type": "vcs", "url": "https://github.com/yiisoft/yii2-framework.git" } ], "type": "framework", "bom-ref": "pkg:composer/yiisoft/yii2@2.0.49.2", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" }, { "name": "Namespaces", "value": "yii\\" } ] }, { "group": "yiisoft", "name": "yii2-composer", "version": "2.0.10", "description": "The composer plugin for Yii extension installer", "scope": "required", "licenses": [ { "license": { "id": "BSD-3-Clause", "url": "https://opensource.org/licenses/BSD-3-Clause" } } ], "purl": "pkg:composer/yiisoft/yii2-composer@2.0.10", "externalReferences": [ { "type": "vcs", "url": "https://github.com/yiisoft/yii2-composer.git" } ], "type": "framework", "bom-ref": "pkg:composer/yiisoft/yii2-composer@2.0.10", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" }, { "name": "Namespaces", "value": "yii\\composer\\" } ] } ], "services": [], "dependencies": [ { "ref": "pkg:composer/example/php_sbom_issue@latest", "dependsOn": [ "pkg:composer/yiisoft/yii2@2.0.49.2" ] }, { "ref": "pkg:composer/bower-asset/inputmask@5.0.9", "dependsOn": [ "pkg:composer/bower-asset/jquery@3.7.1" ] }, { "ref": "pkg:composer/bower-asset/jquery@3.7.1", "dependsOn": [] }, { "ref": "pkg:composer/bower-asset/punycode@v2.2.3", "dependsOn": [] }, { "ref": "pkg:composer/bower-asset/yii2-pjax@2.0.8", "dependsOn": [ "pkg:composer/bower-asset/jquery@3.7.1" ] }, { "ref": "pkg:composer/cebe/markdown@1.2.1", "dependsOn": [] }, { "ref": "pkg:composer/ezyang/htmlpurifier@v4.17.0", "dependsOn": [] }, { "ref": "pkg:composer/paragonie/random_compat@v9.99.100", "dependsOn": [] }, { "ref": "pkg:composer/yiisoft/yii2@2.0.49.2", "dependsOn": [ "pkg:composer/bower-asset/inputmask@5.0.9", "pkg:composer/bower-asset/jquery@3.7.1", "pkg:composer/bower-asset/punycode@v2.2.3", "pkg:composer/bower-asset/yii2-pjax@2.0.8", "pkg:composer/cebe/markdown@1.2.1", "pkg:composer/ezyang/htmlpurifier@v4.17.0", "pkg:composer/paragonie/random_compat@v9.99.100", "pkg:composer/yiisoft/yii2-composer@2.0.10" ] }, { "ref": "pkg:composer/yiisoft/yii2-composer@2.0.10", "dependsOn": [] } ] } ```Generated
syft.json
SBOM:Click me
```json { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:93dd2a98-ace9-48b4-8a3d-f9c21b6f5925", "version": 1, "metadata": { "timestamp": "2024-08-07T01:07:10+03:00", "tools": { "components": [ { "type": "application", "author": "anchore", "name": "syft", "version": "1.9.0" } ] }, "component": { "bom-ref": "280526f80efd5b66", "type": "file", "name": "composer.lock", "version": "sha256:fa49da4efa632d3f4871a5faaf2b891adddcb25024d480decb71cb7921139eb7" } }, "components": [ { "bom-ref": "pkg:composer/bower-asset/inputmask@5.0.9?package-id=f8aba670d7b79f5d", "type": "library", "name": "bower-asset/inputmask", "version": "5.0.9", "licenses": [ { "license": { "name": "http://opensource.org/licenses/mit-license.php" } } ], "cpe": "cpe:2.3:a:bower-asset\\/inputmask:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*", "purl": "pkg:composer/bower-asset/inputmask@5.0.9", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/inputmask:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/inputmask:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/inputmask:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/bower-asset/jquery@3.7.1?package-id=c88c3e90f3660303", "type": "library", "name": "bower-asset/jquery", "version": "3.7.1", "licenses": [ { "license": { "id": "MIT" } } ], "cpe": "cpe:2.3:a:bower-asset\\/jquery:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*", "purl": "pkg:composer/bower-asset/jquery@3.7.1", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/jquery:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/jquery:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/jquery:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/bower-asset/punycode@v2.2.3?package-id=9852900b72cb9bf9", "type": "library", "name": "bower-asset/punycode", "version": "v2.2.3", "cpe": "cpe:2.3:a:bower-asset\\/punycode:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*", "purl": "pkg:composer/bower-asset/punycode@v2.2.3", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/punycode:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/punycode:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/punycode:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/bower-asset/yii2-pjax@2.0.8?package-id=3678ef28348a125a", "type": "library", "name": "bower-asset/yii2-pjax", "version": "2.0.8", "licenses": [ { "license": { "id": "MIT" } } ], "cpe": "cpe:2.3:a:bower-asset\\/yii2-pjax:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*", "purl": "pkg:composer/bower-asset/yii2-pjax@2.0.8", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/yii2-pjax:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/yii2_pjax:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/yii2_pjax:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/yii2:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/yii2:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/yii2:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/yii2:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/cebe/markdown@1.2.1?package-id=56cffb7a90fbdc65", "type": "library", "name": "cebe/markdown", "version": "1.2.1", "licenses": [ { "license": { "id": "MIT" } } ], "cpe": "cpe:2.3:a:cebe\\/markdown:cebe\\/markdown:1.2.1:*:*:*:*:*:*:*", "purl": "pkg:composer/cebe/markdown@1.2.1", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/ezyang/htmlpurifier@v4.17.0?package-id=1a01f1ab7bc76032", "type": "library", "name": "ezyang/htmlpurifier", "version": "v4.17.0", "licenses": [ { "license": { "id": "LGPL-2.1-or-later" } } ], "cpe": "cpe:2.3:a:ezyang\\/htmlpurifier:ezyang\\/htmlpurifier:v4.17.0:*:*:*:*:*:*:*", "purl": "pkg:composer/ezyang/htmlpurifier@v4.17.0", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/paragonie/random_compat@v9.99.100?package-id=dc7a937336b89997", "type": "library", "name": "paragonie/random_compat", "version": "v9.99.100", "licenses": [ { "license": { "id": "MIT" } } ], "cpe": "cpe:2.3:a:paragonie\\/random-compat:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*", "purl": "pkg:composer/paragonie/random_compat@v9.99.100", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random-compat:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random_compat:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random_compat:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/yiisoft/yii2@2.0.49.2?package-id=69ac11cfcc2cf90c", "type": "library", "name": "yiisoft/yii2", "version": "2.0.49.2", "licenses": [ { "license": { "id": "BSD-3-Clause" } } ], "cpe": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2:2.0.49.2:*:*:*:*:*:*:*", "purl": "pkg:composer/yiisoft/yii2@2.0.49.2", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/yiisoft/yii2-composer@2.0.10?package-id=9e649fc0c2007f55", "type": "library", "name": "yiisoft/yii2-composer", "version": "2.0.10", "licenses": [ { "license": { "id": "BSD-3-Clause" } } ], "cpe": "cpe:2.3:a:yiisoft\\/yii2-composer:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*", "purl": "pkg:composer/yiisoft/yii2-composer@2.0.10", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2-composer:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2_composer:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2_composer:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] } ] } ```Anything else we need to know?:
It looks like the significant difference between SBOMs is that cdxgen splits the name and group:
OTOH, Syft doesn't:
Other scanners (osv-scanner, Trivy,
composer audit
) detect only Yii2 vulns incomposer.lock
.Environment:
grype version
: