search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.84k stars 574 forks source link

Failure on SBOM from cdxgen 11.0.0 #2263

Open metametadata opened 3 days ago

metametadata commented 3 days ago

What happened:

failed to catalog: unable to decode sbom: unable to decode cyclonedx json document: json: cannot unmarshal array into Go struct field Evidence.components.evidence.identity of type cyclonedx.EvidenceIdentity

What you expected to happen:

No error.

How to reproduce it (as minimally and precisely as possible):

Use cdxgen 11.0.0 to generate an SBOM from pom.xml:

CDXGEN_DEBUG_MODE=debug PREFER_MAVEN_DEPS_TREE=true cdxgen --fail-on-error --no-include-formulation --no-recurse --output sbom.json --type java

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0    http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>foo</groupId>
  <artifactId>bar</artifactId>
  <packaging>jar</packaging>
  <version>1.0.0</version>
  <name>foo</name>
  <dependencies>
    <dependency>
      <groupId>com.mysql</groupId>
      <artifactId>mysql-connector-j</artifactId>
      <version>9.0.0</version>
    </dependency>
  </dependencies>
</project>

Then run Grype 0.84.0:

grype sbom.json

sbom.json:

Click me ```json { "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:427c8220-455c-4270-8639-f63001b38d46", "version": 1, "metadata": { "timestamp": "2024-11-16T21:58:42Z", "tools": { "components": [ { "group": "@cyclonedx", "name": "cdxgen", "version": "11.0.0", "purl": "pkg:npm/%40cyclonedx/cdxgen@11.0.0", "type": "application", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@11.0.0", "publisher": "OWASP Foundation", "authors": [ { "name": "OWASP Foundation" } ] } ] }, "authors": [ { "name": "OWASP Foundation" } ], "lifecycles": [ { "phase": "build" } ], "component": { "group": "foo", "name": "bar", "version": "1.0.0", "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ], "purl": "pkg:maven/foo/bar@1.0.0?type=jar", "bom-ref": "pkg:maven/foo/bar@1.0.0?type=jar", "type": "application" }, "properties": [ { "name": "cdx:bom:componentTypes", "value": "maven" }, { "name": "cdx:bom:componentNamespaces", "value": "com.google.protobuf\\ncom.mysql" } ] }, "components": [ { "group": "com.mysql", "name": "mysql-connector-j", "version": "9.0.0", "scope": "required", "purl": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar", "type": "library", "bom-ref": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar", "evidence": { "identity": [ { "field": "purl", "confidence": 0.5, "methods": [ { "technique": "manifest-analysis", "confidence": 0.5, "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } ] }, "properties": [ { "name": "cdx:maven:component_scope", "value": "compile" }, { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] }, { "group": "com.google.protobuf", "name": "protobuf-java", "version": "4.26.1", "scope": "required", "purl": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar", "type": "library", "bom-ref": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar", "evidence": { "identity": [ { "field": "purl", "confidence": 0.5, "methods": [ { "technique": "manifest-analysis", "confidence": 0.5, "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } ] }, "properties": [ { "name": "cdx:maven:component_scope", "value": "compile" }, { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } ], "dependencies": [ { "ref": "pkg:maven/foo/bar@1.0.0?type=jar", "dependsOn": [ "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar" ] }, { "ref": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar", "dependsOn": [ "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar" ] }, { "ref": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar", "dependsOn": [] } ], "annotations": [] } ```

Notes

Differences between 10.10.7 (works with Grype) and 11.0.0 cdxgen output:

Screenshot 2024-11-17 at 00 12 27 Screenshot 2024-11-17 at 00 12 37 Screenshot 2024-11-17 at 00 12 45

sbom.json from cdxgen 10.10.7:

Click me ```json { "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:fb64f67b-e07b-473c-bac0-d0d298266cea", "version": 1, "metadata": { "timestamp": "2024-11-16T21:56:39Z", "tools": { "components": [ { "group": "@cyclonedx", "name": "cdxgen", "version": "10.10.7", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.10.7", "type": "application", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.10.7", "author": "OWASP Foundation", "publisher": "OWASP Foundation" } ] }, "authors": [ { "name": "OWASP Foundation" } ], "lifecycles": [ { "phase": "build" } ], "component": { "group": "foo", "name": "bar", "version": "1.0.0", "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ], "purl": "pkg:maven/foo/bar@1.0.0?type=jar", "bom-ref": "pkg:maven/foo/bar@1.0.0?type=jar", "type": "application" }, "properties": [ { "name": "cdx:bom:componentTypes", "value": "maven" }, { "name": "cdx:bom:componentNamespaces", "value": "com.google.protobuf\\ncom.mysql" } ] }, "components": [ { "group": "com.mysql", "name": "mysql-connector-j", "version": "9.0.0", "scope": "required", "purl": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar", "type": "library", "bom-ref": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar", "evidence": { "identity": { "field": "purl", "confidence": 0.5, "methods": [ { "technique": "manifest-analysis", "confidence": 0.5, "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } }, "properties": [ { "name": "cdx:maven:component_scope", "value": "compile" }, { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] }, { "group": "com.google.protobuf", "name": "protobuf-java", "version": "4.26.1", "scope": "required", "purl": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar", "type": "library", "bom-ref": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar", "evidence": { "identity": { "field": "purl", "confidence": 0.5, "methods": [ { "technique": "manifest-analysis", "confidence": 0.5, "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } }, "properties": [ { "name": "cdx:maven:component_scope", "value": "compile" }, { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } ], "dependencies": [ { "ref": "pkg:maven/foo/bar@1.0.0?type=jar", "dependsOn": [ "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar" ] }, { "ref": "pkg:maven/com.mysql/mysql-connector-j@9.0.0?type=jar", "dependsOn": [ "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar" ] }, { "ref": "pkg:maven/com.google.protobuf/protobuf-java@4.26.1?type=jar", "dependsOn": [] } ] } ```
spiffcs commented 3 hours ago

@metametadata thanks for the issue here. I've tracked down the changes in the cds schema to: https://cyclonedx.org/schema/bom-1.6.schema.json

If you search this page for "title": "Identity Evidence", you'll see it has been updated to be oneOf which could be an object or list of identity objects.

Grype and Syft have not been updated to this latest schema. I've added this work to our backlog so we can update the schemas to the latest changes and get new versions of the tooling out.

Dev note: who ever picks this up might want to look at how we do these schema updates going forward. Currently it's a manual process that has not been run in 5 months. We might want more automation to cover if something changes in the specifications.