search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.05k stars 560 forks source link

SPDX JSON output with unresolvable references in relationships #2535

Open luhring opened 8 months ago

luhring commented 8 months ago

What happened:

When using Syft to produce an SPDX JSON document, it looks like it uses SPDXRef values in the list of relationships that don't map to any element in the SPDX document.

This in turn surfaces as a DEBUG-level log message when Syft is used (e.g. by Grype) to decode Syft's own SPDX documents.

What you expected to happen:

No strange looking debug message, and no SPDX SBOMs with these relationships with undefined references.

Steps to reproduce the issue:

Create an SPDX JSON SBOM.

syft cgr.dev/chainguard/go@sha256:d0c4c542b8cbde4cdb35058dfe1d6a0a3ccde8f74469ac32781a2c2579ee79cd -o spdx-json > ./go.spdx.json

Notice that this document contains many relationships that look like this:

        {
            "spdxElementId": "SPDXRef-Package-apk-go-1.21-5cff34dbbc055fda",
            "relatedSpdxElement": "SPDXRef-532ce643e7a05412",
            "relationshipType": "CONTAINS"
        },
        {
            "spdxElementId": "SPDXRef-Package-apk-go-1.21-5cff34dbbc055fda",
            "relatedSpdxElement": "SPDXRef-53490a02576ac1b7",
            "relationshipType": "CONTAINS"
        },
        {
            "spdxElementId": "SPDXRef-Package-apk-go-1.21-5cff34dbbc055fda",
            "relatedSpdxElement": "SPDXRef-53502b080a8d553b",
            "relationshipType": "CONTAINS"
        }

Note the odd-looking relatedSpdxElement values, like SPDXRef-53502b080a8d553b.

Run Grype with debug logging, using this SBOM as input. (Optionally use grep to count instances of the DEBUG message in question.)

$ grype -vv sbom:./go.spdx.json |& grep -c 'DEBUG unable to find valid relationship mapping from SPDX, ignoring'
8528

Anything else we need to know?:

cc: @kzantow

Environment:

$ syft version
Application: syft
Version:    0.101.1
BuildDate:  2024-01-19T22:02:04Z
GitCommit:  3eab5932e5271eea5506ab9710239b1415c827f8
GitDescription: v0.101.1
Platform:   darwin/arm64
GoVersion:  go1.21.5
Compiler:   gc

macOS Sonoma

tgerla commented 8 months ago

Hey @luhring, thanks for this, we will put it in the backlog.