search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.12k stars 563 forks source link

Supplier information missing in the SBOM #3049

Open Naranthiran opened 3 months ago

Naranthiran commented 3 months ago 
          Hi Tim,

Since BlackDuck team does not have a separate to analyze the SBOM I was not able to give you an update.

But I have one more query regarding the SBOM generated using the syft tool.

I am using the below command to generate the SBOM. I have also attached the SBOM for your reference.

syft dir:/home/RHEL7WORK/ -o spdx-json=071724minimalos.spdx.json

We have not able to get the supplier information in the SBOM generated. We are using SBOM editor for reviewing the SBOM.

Can you check SBOM and confirm what could be the issue with supplier information or it's available in SBOM and not visible only in the SBOM editor. And are there any tools to check the supplier information?

071724minimalos.spdx.json

Regards Naranthiran Duraisamy

Originally posted by @Naranthiran in https://github.com/anchore/syft/issues/2840#issuecomment-2232586735

wagoodman commented 3 months ago

It looks like we are pulling vendor info https://github.com/anchore/syft/blob/034a98f02972e94cbf3dddfdd116b94176a9d56e/syft/pkg/cataloger/redhat/parse_rpm_archive.go#L29-L34 and we're mapping that into the SPDX supplier https://github.com/anchore/syft/blob/034a98f02972e94cbf3dddfdd116b94176a9d56e/syft/format/internal/spdxutil/helpers/originator_supplier.go#L94-L101 it might be that we're not correctly getting the vendor in the cataloger.

We should at the very list start capturing errors to a trace log (they are currently being thrown away) so we can get more visibility into this.

Naranthiran commented 3 months ago

Hi Alex,

If we could have a fix, it would be helpful for us.

Regards Naranthiran Duraisamy

kzantow commented 3 months ago

Hi @Naranthiran -- are you able to provide a public image or other steps to reproduce this problem?

We have test RPMs that include the vendor information and this information gets properly output as SPDX suppliers, so there may be something else going on here.

Example (from this repo):

cd syft/pkg/cataloger/redhat/test-fixtures
make rpm
syft . -o spdx-json

... includes:

"supplier": "Organization: Fedora Project",

I've added a PR that logs errors when parsing these, it would need debug logging enabled (-vv): https://github.com/anchore/syft/pull/3051

It's possible the RPMs you are scanning simply may be missing this information, but there could be something else going on here. Without more information it will be hard to make any more changes to improve this, though.

Naranthiran commented 2 months ago

HI Keith Zantow,

I am trying to generate the SBOM with RedHat 7.9 packages.

Steps to reproduce: 1)Mount the RedHat 7.9 ISO and copy the rpm files to the folder.

2)Run the below command to generate the SBOM.

syft dir:/RPM_folder_path/ -o spdx-json=071724minimalos.spdx.json

3)Import the SBOM generated in the SBOM editor and check the supplier info against the package.

Regards Naranthiran Duraisamy

Naranthiran commented 2 months ago

Hi Keith Zantow,

Were you able to reproduce the issue?

Please let me know if any inputs are required from my side..

Regards Naranthiran Duraisamy