anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.73k stars 571 forks source link

Noisy INFO logs on scanning composer.lock SBOM generated by Syft #2042

Open metametadata opened 3 months ago

metametadata commented 3 months ago

What happened:

ᐅ grype --verbose sbom.json
[0000]  INFO grype version: 0.79.4
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO &[Location<RealPath="/composer.lock">]
[0000]  INFO found 2 vulnerability matches across 9 packages
NAME          INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY
yiisoft/yii2  2.0.49.2   2.0.49.4  php-composer  GHSA-cjcc-p67m-7qxm  High
yiisoft/yii2  2.0.49.2   2.0.49.4  php-composer  GHSA-qg5r-95m4-mjgj  Medium

What you expected to happen:

No weird [0000] INFO &[Location<RealPath="/composer.lock">] logs.

How to reproduce it (as minimally and precisely as possible):

PHP composer.json:

{
  "name": "example/php_sbom_issue",
  "require": {
    "yiisoft/yii2": "2.0.49.2"
  },
  "repositories": [
    {
      "type": "composer",
      "url": "https://asset-packagist.org"
    }
  ],
  "config": {
    "allow-plugins": {
      "yiisoft/yii2-composer": true
    }
  }
}

composer.lock generated via composer update --no-install:

Click me ``` { "_readme": [ "This file locks the dependencies of your project to a known state", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], "content-hash": "de1bd552949dd523bc63bbf9630f3ab5", "packages": [ { "name": "bower-asset/inputmask", "version": "5.0.9", "source": { "type": "git", "url": "https://github.com/RobinHerbots/Inputmask.git", "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/RobinHerbots/Inputmask/zipball/310a33557e2944daf86d5946a5e8c82b9118f8f7", "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7" }, "require": { "bower-asset/jquery": ">=1.7" }, "type": "bower-asset", "license": [ "http://opensource.org/licenses/mit-license.php" ] }, { "name": "bower-asset/jquery", "version": "3.7.1", "source": { "type": "git", "url": "https://github.com/jquery/jquery-dist.git", "reference": "fde1f76e2799dd877c176abde0ec836553246991" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/jquery/jquery-dist/zipball/fde1f76e2799dd877c176abde0ec836553246991", "reference": "fde1f76e2799dd877c176abde0ec836553246991" }, "type": "bower-asset", "license": [ "MIT" ] }, { "name": "bower-asset/punycode", "version": "v2.2.3", "source": { "type": "git", "url": "https://github.com/mathiasbynens/punycode.js.git", "reference": "46d412120e2feb868876769a9847790ba278c882" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/mathiasbynens/punycode.js/zipball/46d412120e2feb868876769a9847790ba278c882", "reference": "46d412120e2feb868876769a9847790ba278c882" }, "type": "bower-asset" }, { "name": "bower-asset/yii2-pjax", "version": "2.0.8", "source": { "type": "git", "url": "git@github.com:yiisoft/jquery-pjax.git", "reference": "a9298d57da63d14a950f1b94366a864bc62264fb" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/jquery-pjax/zipball/a9298d57da63d14a950f1b94366a864bc62264fb", "reference": "a9298d57da63d14a950f1b94366a864bc62264fb" }, "require": { "bower-asset/jquery": ">=1.8" }, "type": "bower-asset", "license": [ "MIT" ] }, { "name": "cebe/markdown", "version": "1.2.1", "source": { "type": "git", "url": "https://github.com/cebe/markdown.git", "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/cebe/markdown/zipball/9bac5e971dd391e2802dca5400bbeacbaea9eb86", "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86", "shasum": "" }, "require": { "lib-pcre": "*", "php": ">=5.4.0" }, "require-dev": { "cebe/indent": "*", "facebook/xhprof": "*@dev", "phpunit/phpunit": "4.1.*" }, "bin": [ "bin/markdown" ], "type": "library", "extra": { "branch-alias": { "dev-master": "1.2.x-dev" } }, "autoload": { "psr-4": { "cebe\\markdown\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "authors": [ { "name": "Carsten Brandt", "email": "mail@cebe.cc", "homepage": "http://cebe.cc/", "role": "Creator" } ], "description": "A super fast, highly extensible markdown parser for PHP", "homepage": "https://github.com/cebe/markdown#readme", "keywords": [ "extensible", "fast", "gfm", "markdown", "markdown-extra" ], "support": { "issues": "https://github.com/cebe/markdown/issues", "source": "https://github.com/cebe/markdown" }, "time": "2018-03-26T11:24:36+00:00" }, { "name": "ezyang/htmlpurifier", "version": "v4.17.0", "source": { "type": "git", "url": "https://github.com/ezyang/htmlpurifier.git", "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/bbc513d79acf6691fa9cf10f192c90dd2957f18c", "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c", "shasum": "" }, "require": { "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0" }, "require-dev": { "cerdic/css-tidy": "^1.7 || ^2.0", "simpletest/simpletest": "dev-master" }, "suggest": { "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.", "ext-bcmath": "Used for unit conversion and imagecrash protection", "ext-iconv": "Converts text to and from non-UTF-8 encodings", "ext-tidy": "Used for pretty-printing HTML" }, "type": "library", "autoload": { "files": [ "library/HTMLPurifier.composer.php" ], "psr-0": { "HTMLPurifier": "library/" }, "exclude-from-classmap": [ "/library/HTMLPurifier/Language/" ] }, "notification-url": "https://packagist.org/downloads/", "license": [ "LGPL-2.1-or-later" ], "authors": [ { "name": "Edward Z. Yang", "email": "admin@htmlpurifier.org", "homepage": "http://ezyang.com" } ], "description": "Standards compliant HTML filter written in PHP", "homepage": "http://htmlpurifier.org/", "keywords": [ "html" ], "support": { "issues": "https://github.com/ezyang/htmlpurifier/issues", "source": "https://github.com/ezyang/htmlpurifier/tree/v4.17.0" }, "time": "2023-11-17T15:01:25+00:00" }, { "name": "paragonie/random_compat", "version": "v9.99.100", "source": { "type": "git", "url": "https://github.com/paragonie/random_compat.git", "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a", "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a", "shasum": "" }, "require": { "php": ">= 7" }, "require-dev": { "phpunit/phpunit": "4.*|5.*", "vimeo/psalm": "^1" }, "suggest": { "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." }, "type": "library", "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "authors": [ { "name": "Paragon Initiative Enterprises", "email": "security@paragonie.com", "homepage": "https://paragonie.com" } ], "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", "keywords": [ "csprng", "polyfill", "pseudorandom", "random" ], "support": { "email": "info@paragonie.com", "issues": "https://github.com/paragonie/random_compat/issues", "source": "https://github.com/paragonie/random_compat" }, "time": "2020-10-15T08:29:30+00:00" }, { "name": "yiisoft/yii2", "version": "2.0.49.2", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-framework.git", "reference": "7d38bf7584acbe838a8d08e40e949b6393162441" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/yii2-framework/zipball/7d38bf7584acbe838a8d08e40e949b6393162441", "reference": "7d38bf7584acbe838a8d08e40e949b6393162441", "shasum": "" }, "require": { "bower-asset/inputmask": "~3.2.2 | ~3.3.5 | ~5.0.8 ", "bower-asset/jquery": "3.7.*@stable | 3.6.*@stable | 3.5.*@stable | 3.4.*@stable | 3.3.*@stable | 3.2.*@stable | 3.1.*@stable | 2.2.*@stable | 2.1.*@stable | 1.11.*@stable | 1.12.*@stable", "bower-asset/punycode": "1.3.* | 2.2.*", "bower-asset/yii2-pjax": "~2.0.1", "cebe/markdown": "~1.0.0 | ~1.1.0 | ~1.2.0", "ext-ctype": "*", "ext-mbstring": "*", "ezyang/htmlpurifier": "^4.6", "lib-pcre": "*", "paragonie/random_compat": ">=1", "php": ">=5.4.0", "yiisoft/yii2-composer": "~2.0.4" }, "bin": [ "yii" ], "type": "library", "extra": { "branch-alias": { "dev-master": "2.0.x-dev" } }, "autoload": { "psr-4": { "yii\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "BSD-3-Clause" ], "authors": [ { "name": "Qiang Xue", "email": "qiang.xue@gmail.com", "homepage": "https://www.yiiframework.com/", "role": "Founder and project lead" }, { "name": "Alexander Makarov", "email": "sam@rmcreative.ru", "homepage": "https://rmcreative.ru/", "role": "Core framework development" }, { "name": "Maurizio Domba", "homepage": "http://mdomba.info/", "role": "Core framework development" }, { "name": "Carsten Brandt", "email": "mail@cebe.cc", "homepage": "https://www.cebe.cc/", "role": "Core framework development" }, { "name": "Timur Ruziev", "email": "resurtm@gmail.com", "homepage": "http://resurtm.com/", "role": "Core framework development" }, { "name": "Paul Klimov", "email": "klimov.paul@gmail.com", "role": "Core framework development" }, { "name": "Dmitry Naumenko", "email": "d.naumenko.a@gmail.com", "role": "Core framework development" }, { "name": "Boudewijn Vahrmeijer", "email": "info@dynasource.eu", "homepage": "http://dynasource.eu", "role": "Core framework development" } ], "description": "Yii PHP Framework Version 2", "homepage": "https://www.yiiframework.com/", "keywords": [ "framework", "yii2" ], "support": { "forum": "https://forum.yiiframework.com/", "irc": "ircs://irc.libera.chat:6697/yii", "issues": "https://github.com/yiisoft/yii2/issues?state=open", "source": "https://github.com/yiisoft/yii2", "wiki": "https://www.yiiframework.com/wiki" }, "funding": [ { "url": "https://github.com/yiisoft", "type": "github" }, { "url": "https://opencollective.com/yiisoft", "type": "open_collective" }, { "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2", "type": "tidelift" } ], "time": "2023-10-12T15:46:26+00:00" }, { "name": "yiisoft/yii2-composer", "version": "2.0.10", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-composer.git", "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/yii2-composer/zipball/94bb3f66e779e2774f8776d6e1bdeab402940510", "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510", "shasum": "" }, "require": { "composer-plugin-api": "^1.0 | ^2.0" }, "require-dev": { "composer/composer": "^1.0 | ^2.0@dev", "phpunit/phpunit": "<7" }, "type": "composer-plugin", "extra": { "class": "yii\\composer\\Plugin", "branch-alias": { "dev-master": "2.0.x-dev" } }, "autoload": { "psr-4": { "yii\\composer\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "BSD-3-Clause" ], "authors": [ { "name": "Qiang Xue", "email": "qiang.xue@gmail.com" }, { "name": "Carsten Brandt", "email": "mail@cebe.cc" } ], "description": "The composer plugin for Yii extension installer", "keywords": [ "composer", "extension installer", "yii2" ], "support": { "forum": "http://www.yiiframework.com/forum/", "irc": "irc://irc.freenode.net/yii", "issues": "https://github.com/yiisoft/yii2-composer/issues", "source": "https://github.com/yiisoft/yii2-composer", "wiki": "http://www.yiiframework.com/wiki/" }, "funding": [ { "url": "https://github.com/yiisoft", "type": "github" }, { "url": "https://opencollective.com/yiisoft", "type": "open_collective" }, { "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2-composer", "type": "tidelift" } ], "time": "2020-06-24T00:04:01+00:00" } ], "packages-dev": [], "aliases": [], "minimum-stability": "stable", "stability-flags": [], "prefer-stable": false, "prefer-lowest": false, "platform": [], "platform-dev": [], "plugin-api-version": "2.6.0" } ```

syft scan file:composer.lock --output cyclonedx-json=sbom.json

grype --verbose sbom.json

Anything else we need to know?:

If I set -vv flag for Syft call I see many DEBUG unable to convert relationship type to CycloneDX JSON, dropping lines:

Click me ``` ᐅ syft scan file:composer.lock --output cyclonedx-json=sbom.json -vv ... [0000] DEBUG discovered 9 packages cataloger=php-composer-lock-cataloger [0000] DEBUG discovered 0 packages cataloger=php-pecl-serialized-cataloger [0000] DEBUG discovered 0 packages cataloger=python-package-cataloger [0000] DEBUG discovered 0 packages cataloger=ruby-gemfile-cataloger [0000] DEBUG discovered 0 packages cataloger=ruby-gemspec-cataloger [0000] DEBUG discovered 0 packages cataloger=rust-cargo-lock-cataloger [0000] DEBUG discovered 0 packages cataloger=cocoapods-cataloger [0000] DEBUG discovered 0 packages cataloger=swift-package-manager-cataloger [0000] DEBUG discovered 0 packages cataloger=dotnet-portable-executable-cataloger [0000] DEBUG discovered 0 packages cataloger=python-installed-package-cataloger [0000] DEBUG discovered 0 packages cataloger=go-module-binary-cataloger [0000] DEBUG discovered 0 packages cataloger=java-archive-cataloger [0000] DEBUG discovered 0 packages cataloger=graalvm-native-image-cataloger [0000] DEBUG discovered 0 packages cataloger=nix-store-cataloger [0000] DEBUG discovered 0 packages cataloger=lua-rock-cataloger [0000] DEBUG discovered 0 packages cataloger=binary-classifier-cataloger [0000] DEBUG discovered 0 packages cataloger=elf-binary-package-cataloger [0000] DEBUG discovered 0 packages cataloger=github-actions-usage-cataloger [0000] DEBUG discovered 0 packages cataloger=github-action-workflow-usage-cataloger [0000] DEBUG discovered 0 packages cataloger=linux-kernel-cataloger [0000] DEBUG discovered 0 packages cataloger=wordpress-plugins-cataloger [0000] DEBUG executable cataloger processed 0 files [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"bower-asset/inputmask\" version=\"5.0.9\" type=\"php-composer\" id=\"f8aba670d7b79f5d\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"bower-asset/jquery\" version=\"3.7.1\" type=\"php-composer\" id=\"c88c3e90f3660303\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"bower-asset/punycode\" version=\"v2.2.3\" type=\"php-composer\" id=\"9852900b72cb9bf9\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"bower-asset/yii2-pjax\" version=\"2.0.8\" type=\"php-composer\" id=\"3678ef28348a125a\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"cebe/markdown\" version=\"1.2.1\" type=\"php-composer\" id=\"56cffb7a90fbdc65\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"ezyang/htmlpurifier\" version=\"v4.17.0\" type=\"php-composer\" id=\"1a01f1ab7bc76032\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"paragonie/random_compat\" version=\"v9.99.100\" type=\"php-composer\" id=\"dc7a937336b89997\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"yiisoft/yii2\" version=\"2.0.49.2\" type=\"php-composer\" id=\"69ac11cfcc2cf90c\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0x1400081d000 To:Pkg(name=\"yiisoft/yii2-composer\" version=\"2.0.10\" type=\"php-composer\" id=\"9e649fc0c2007f55\") Type:contains Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"bower-asset/inputmask\" version=\"5.0.9\" type=\"php-composer\" id=\"f8aba670d7b79f5d\") To:Location Type:evident-by Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"bower-asset/jquery\" version=\"3.7.1\" type=\"php-composer\" id=\"c88c3e90f3660303\") To:Location Type:evident-by Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"bower-asset/punycode\" version=\"v2.2.3\" type=\"php-composer\" id=\"9852900b72cb9bf9\") To:Location Type:evident-by Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"bower-asset/yii2-pjax\" version=\"2.0.8\" type=\"php-composer\" id=\"3678ef28348a125a\") To:Location Type:evident-by Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"cebe/markdown\" version=\"1.2.1\" type=\"php-composer\" id=\"56cffb7a90fbdc65\") To:Location Type:evident-by Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"ezyang/htmlpurifier\" version=\"v4.17.0\" type=\"php-composer\" id=\"1a01f1ab7bc76032\") To:Location Type:evident-by Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"paragonie/random_compat\" version=\"v9.99.100\" type=\"php-composer\" id=\"dc7a937336b89997\") To:Location Type:evident-by Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"yiisoft/yii2\" version=\"2.0.49.2\" type=\"php-composer\" id=\"69ac11cfcc2cf90c\") To:Location Type:evident-by Data:}" [0000] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"yiisoft/yii2-composer\" version=\"2.0.10\" type=\"php-composer\" id=\"9e649fc0c2007f55\") To:Location Type:evident-by Data:}" ```

Environment:

Application:         grype
Version:             0.79.4
BuildDate:           2024-07-31T15:05:32Z
GitCommit:           brew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.22.5
Compiler:            gc
Syft Version:        v1.10.0
Supported DB Schema: 5
metametadata commented 1 month ago

I see the similar problem with SBOMs generated from pnpm-lock.yaml instead of composer.lock:

Screenshot 2024-09-14 at 02 16 58
gagandeepp commented 3 weeks ago

@kzantow can you please assign this?

popey commented 3 weeks ago

Hey @gagandeepp - this issue is marked as good-first-issue as an opportunity for new contributors to get started. We generally don't assign these as they're generally determined not to be requiring urgent attention.

If you're affected by this issue, and would like to work on it, or find someone else who will, I'm sure the team would happily assist.