Open metametadata opened 3 months ago
I see the similar problem with SBOMs generated from pnpm-lock.yaml
instead of composer.lock
:
@kzantow can you please assign this?
Hey @gagandeepp - this issue is marked as good-first-issue as an opportunity for new contributors to get started. We generally don't assign these as they're generally determined not to be requiring urgent attention.
If you're affected by this issue, and would like to work on it, or find someone else who will, I'm sure the team would happily assist.
What happened:
What you expected to happen:
No weird
[0000] INFO &[Location<RealPath="/composer.lock">]
logs.How to reproduce it (as minimally and precisely as possible):
PHP
composer.json
:composer.lock
generated viacomposer update --no-install
:Click me
``` { "_readme": [ "This file locks the dependencies of your project to a known state", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], "content-hash": "de1bd552949dd523bc63bbf9630f3ab5", "packages": [ { "name": "bower-asset/inputmask", "version": "5.0.9", "source": { "type": "git", "url": "https://github.com/RobinHerbots/Inputmask.git", "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/RobinHerbots/Inputmask/zipball/310a33557e2944daf86d5946a5e8c82b9118f8f7", "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7" }, "require": { "bower-asset/jquery": ">=1.7" }, "type": "bower-asset", "license": [ "http://opensource.org/licenses/mit-license.php" ] }, { "name": "bower-asset/jquery", "version": "3.7.1", "source": { "type": "git", "url": "https://github.com/jquery/jquery-dist.git", "reference": "fde1f76e2799dd877c176abde0ec836553246991" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/jquery/jquery-dist/zipball/fde1f76e2799dd877c176abde0ec836553246991", "reference": "fde1f76e2799dd877c176abde0ec836553246991" }, "type": "bower-asset", "license": [ "MIT" ] }, { "name": "bower-asset/punycode", "version": "v2.2.3", "source": { "type": "git", "url": "https://github.com/mathiasbynens/punycode.js.git", "reference": "46d412120e2feb868876769a9847790ba278c882" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/mathiasbynens/punycode.js/zipball/46d412120e2feb868876769a9847790ba278c882", "reference": "46d412120e2feb868876769a9847790ba278c882" }, "type": "bower-asset" }, { "name": "bower-asset/yii2-pjax", "version": "2.0.8", "source": { "type": "git", "url": "git@github.com:yiisoft/jquery-pjax.git", "reference": "a9298d57da63d14a950f1b94366a864bc62264fb" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/jquery-pjax/zipball/a9298d57da63d14a950f1b94366a864bc62264fb", "reference": "a9298d57da63d14a950f1b94366a864bc62264fb" }, "require": { "bower-asset/jquery": ">=1.8" }, "type": "bower-asset", "license": [ "MIT" ] }, { "name": "cebe/markdown", "version": "1.2.1", "source": { "type": "git", "url": "https://github.com/cebe/markdown.git", "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/cebe/markdown/zipball/9bac5e971dd391e2802dca5400bbeacbaea9eb86", "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86", "shasum": "" }, "require": { "lib-pcre": "*", "php": ">=5.4.0" }, "require-dev": { "cebe/indent": "*", "facebook/xhprof": "*@dev", "phpunit/phpunit": "4.1.*" }, "bin": [ "bin/markdown" ], "type": "library", "extra": { "branch-alias": { "dev-master": "1.2.x-dev" } }, "autoload": { "psr-4": { "cebe\\markdown\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "authors": [ { "name": "Carsten Brandt", "email": "mail@cebe.cc", "homepage": "http://cebe.cc/", "role": "Creator" } ], "description": "A super fast, highly extensible markdown parser for PHP", "homepage": "https://github.com/cebe/markdown#readme", "keywords": [ "extensible", "fast", "gfm", "markdown", "markdown-extra" ], "support": { "issues": "https://github.com/cebe/markdown/issues", "source": "https://github.com/cebe/markdown" }, "time": "2018-03-26T11:24:36+00:00" }, { "name": "ezyang/htmlpurifier", "version": "v4.17.0", "source": { "type": "git", "url": "https://github.com/ezyang/htmlpurifier.git", "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/bbc513d79acf6691fa9cf10f192c90dd2957f18c", "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c", "shasum": "" }, "require": { "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0" }, "require-dev": { "cerdic/css-tidy": "^1.7 || ^2.0", "simpletest/simpletest": "dev-master" }, "suggest": { "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.", "ext-bcmath": "Used for unit conversion and imagecrash protection", "ext-iconv": "Converts text to and from non-UTF-8 encodings", "ext-tidy": "Used for pretty-printing HTML" }, "type": "library", "autoload": { "files": [ "library/HTMLPurifier.composer.php" ], "psr-0": { "HTMLPurifier": "library/" }, "exclude-from-classmap": [ "/library/HTMLPurifier/Language/" ] }, "notification-url": "https://packagist.org/downloads/", "license": [ "LGPL-2.1-or-later" ], "authors": [ { "name": "Edward Z. Yang", "email": "admin@htmlpurifier.org", "homepage": "http://ezyang.com" } ], "description": "Standards compliant HTML filter written in PHP", "homepage": "http://htmlpurifier.org/", "keywords": [ "html" ], "support": { "issues": "https://github.com/ezyang/htmlpurifier/issues", "source": "https://github.com/ezyang/htmlpurifier/tree/v4.17.0" }, "time": "2023-11-17T15:01:25+00:00" }, { "name": "paragonie/random_compat", "version": "v9.99.100", "source": { "type": "git", "url": "https://github.com/paragonie/random_compat.git", "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a", "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a", "shasum": "" }, "require": { "php": ">= 7" }, "require-dev": { "phpunit/phpunit": "4.*|5.*", "vimeo/psalm": "^1" }, "suggest": { "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." }, "type": "library", "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "authors": [ { "name": "Paragon Initiative Enterprises", "email": "security@paragonie.com", "homepage": "https://paragonie.com" } ], "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", "keywords": [ "csprng", "polyfill", "pseudorandom", "random" ], "support": { "email": "info@paragonie.com", "issues": "https://github.com/paragonie/random_compat/issues", "source": "https://github.com/paragonie/random_compat" }, "time": "2020-10-15T08:29:30+00:00" }, { "name": "yiisoft/yii2", "version": "2.0.49.2", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-framework.git", "reference": "7d38bf7584acbe838a8d08e40e949b6393162441" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/yii2-framework/zipball/7d38bf7584acbe838a8d08e40e949b6393162441", "reference": "7d38bf7584acbe838a8d08e40e949b6393162441", "shasum": "" }, "require": { "bower-asset/inputmask": "~3.2.2 | ~3.3.5 | ~5.0.8 ", "bower-asset/jquery": "3.7.*@stable | 3.6.*@stable | 3.5.*@stable | 3.4.*@stable | 3.3.*@stable | 3.2.*@stable | 3.1.*@stable | 2.2.*@stable | 2.1.*@stable | 1.11.*@stable | 1.12.*@stable", "bower-asset/punycode": "1.3.* | 2.2.*", "bower-asset/yii2-pjax": "~2.0.1", "cebe/markdown": "~1.0.0 | ~1.1.0 | ~1.2.0", "ext-ctype": "*", "ext-mbstring": "*", "ezyang/htmlpurifier": "^4.6", "lib-pcre": "*", "paragonie/random_compat": ">=1", "php": ">=5.4.0", "yiisoft/yii2-composer": "~2.0.4" }, "bin": [ "yii" ], "type": "library", "extra": { "branch-alias": { "dev-master": "2.0.x-dev" } }, "autoload": { "psr-4": { "yii\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "BSD-3-Clause" ], "authors": [ { "name": "Qiang Xue", "email": "qiang.xue@gmail.com", "homepage": "https://www.yiiframework.com/", "role": "Founder and project lead" }, { "name": "Alexander Makarov", "email": "sam@rmcreative.ru", "homepage": "https://rmcreative.ru/", "role": "Core framework development" }, { "name": "Maurizio Domba", "homepage": "http://mdomba.info/", "role": "Core framework development" }, { "name": "Carsten Brandt", "email": "mail@cebe.cc", "homepage": "https://www.cebe.cc/", "role": "Core framework development" }, { "name": "Timur Ruziev", "email": "resurtm@gmail.com", "homepage": "http://resurtm.com/", "role": "Core framework development" }, { "name": "Paul Klimov", "email": "klimov.paul@gmail.com", "role": "Core framework development" }, { "name": "Dmitry Naumenko", "email": "d.naumenko.a@gmail.com", "role": "Core framework development" }, { "name": "Boudewijn Vahrmeijer", "email": "info@dynasource.eu", "homepage": "http://dynasource.eu", "role": "Core framework development" } ], "description": "Yii PHP Framework Version 2", "homepage": "https://www.yiiframework.com/", "keywords": [ "framework", "yii2" ], "support": { "forum": "https://forum.yiiframework.com/", "irc": "ircs://irc.libera.chat:6697/yii", "issues": "https://github.com/yiisoft/yii2/issues?state=open", "source": "https://github.com/yiisoft/yii2", "wiki": "https://www.yiiframework.com/wiki" }, "funding": [ { "url": "https://github.com/yiisoft", "type": "github" }, { "url": "https://opencollective.com/yiisoft", "type": "open_collective" }, { "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2", "type": "tidelift" } ], "time": "2023-10-12T15:46:26+00:00" }, { "name": "yiisoft/yii2-composer", "version": "2.0.10", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-composer.git", "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/yii2-composer/zipball/94bb3f66e779e2774f8776d6e1bdeab402940510", "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510", "shasum": "" }, "require": { "composer-plugin-api": "^1.0 | ^2.0" }, "require-dev": { "composer/composer": "^1.0 | ^2.0@dev", "phpunit/phpunit": "<7" }, "type": "composer-plugin", "extra": { "class": "yii\\composer\\Plugin", "branch-alias": { "dev-master": "2.0.x-dev" } }, "autoload": { "psr-4": { "yii\\composer\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "BSD-3-Clause" ], "authors": [ { "name": "Qiang Xue", "email": "qiang.xue@gmail.com" }, { "name": "Carsten Brandt", "email": "mail@cebe.cc" } ], "description": "The composer plugin for Yii extension installer", "keywords": [ "composer", "extension installer", "yii2" ], "support": { "forum": "http://www.yiiframework.com/forum/", "irc": "irc://irc.freenode.net/yii", "issues": "https://github.com/yiisoft/yii2-composer/issues", "source": "https://github.com/yiisoft/yii2-composer", "wiki": "http://www.yiiframework.com/wiki/" }, "funding": [ { "url": "https://github.com/yiisoft", "type": "github" }, { "url": "https://opencollective.com/yiisoft", "type": "open_collective" }, { "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2-composer", "type": "tidelift" } ], "time": "2020-06-24T00:04:01+00:00" } ], "packages-dev": [], "aliases": [], "minimum-stability": "stable", "stability-flags": [], "prefer-stable": false, "prefer-lowest": false, "platform": [], "platform-dev": [], "plugin-api-version": "2.6.0" } ```syft scan file:composer.lock --output cyclonedx-json=sbom.json
grype --verbose sbom.json
Anything else we need to know?:
If I set
-vv
flag for Syft call I see manyDEBUG unable to convert relationship type to CycloneDX JSON, dropping
lines:Click me
``` ᐅ syft scan file:composer.lock --output cyclonedx-json=sbom.json -vv ... [0000] DEBUG discovered 9 packages cataloger=php-composer-lock-cataloger [0000] DEBUG discovered 0 packages cataloger=php-pecl-serialized-cataloger [0000] DEBUG discovered 0 packages cataloger=python-package-cataloger [0000] DEBUG discovered 0 packages cataloger=ruby-gemfile-cataloger [0000] DEBUG discovered 0 packages cataloger=ruby-gemspec-cataloger [0000] DEBUG discovered 0 packages cataloger=rust-cargo-lock-cataloger [0000] DEBUG discovered 0 packages cataloger=cocoapods-cataloger [0000] DEBUG discovered 0 packages cataloger=swift-package-manager-cataloger [0000] DEBUG discovered 0 packages cataloger=dotnet-portable-executable-cataloger [0000] DEBUG discovered 0 packages cataloger=python-installed-package-cataloger [0000] DEBUG discovered 0 packages cataloger=go-module-binary-cataloger [0000] DEBUG discovered 0 packages cataloger=java-archive-cataloger [0000] DEBUG discovered 0 packages cataloger=graalvm-native-image-cataloger [0000] DEBUG discovered 0 packages cataloger=nix-store-cataloger [0000] DEBUG discovered 0 packages cataloger=lua-rock-cataloger [0000] DEBUG discovered 0 packages cataloger=binary-classifier-cataloger [0000] DEBUG discovered 0 packages cataloger=elf-binary-package-cataloger [0000] DEBUG discovered 0 packages cataloger=github-actions-usage-cataloger [0000] DEBUG discovered 0 packages cataloger=github-action-workflow-usage-cataloger [0000] DEBUG discovered 0 packages cataloger=linux-kernel-cataloger [0000] DEBUG discovered 0 packages cataloger=wordpress-plugins-cataloger [0000] DEBUG executable cataloger processed 0 files [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"bower-asset/inputmask\" version=\"5.0.9\" type=\"php-composer\" id=\"f8aba670d7b79f5d\") Type:contains Data:Environment:
grype version
: