search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6k stars 553 forks source link

Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies #3158

Open joaquinricci opened 3 weeks ago

joaquinricci commented 3 weeks ago

What happened:

Trivy tool had the same issue which was raised here.

We are using syft to generate SBOMs for our Dart/Flutter project. Syft incorrectly generates a dependency for flutter@0.0.0, ignoring the sdk setting.

Corresponding part of the pubspec.lock:

…
flutter:
    dependency: "direct main"
    description: flutter
    source: sdk
    version: "0.0.0"
…

As you can see it specifies source as sdk.

Further down in the pubspec.lock file there is more information on the sdk version:

sdks:
  dart: ">=2.15.1 <3.0.0"
  flutter: ">=2.8.0"

What you expected to happen:

The generated SBOM should not contain the incorrect (but unfortunately valid) version 0.0.0.

Steps to reproduce the issue:

Our project code is private, but the problem exists in any Flutter project.

You can reproduce the problem easily by running syft scan dir:./ -o spdx-json=sbom.spdx.json on this project:

https://github.com/KhoaSuperman/findseat/

Anything else we need to know?:

One more thing, dart ain't been added to the SBOM either. So it is not only flutter that fails due to the actuall version been in the sdks zone but also dart is not being captured.

Environment:

kzantow commented 3 weeks ago

Thanks for the report @joaquinricci, do all of these have source: sdk?

joaquinricci commented 2 weeks ago

Hey @kzantow , thanks for the ⚡ reply.

Thanks for the report @joaquinricci, do all of these have source: sdk?

I believe the answer is yes, I couldn't find the pubspec.lock documentation, but according to this dart documentation about sdks, aside from dart itself, flutter is currently the only other sdk.

Now, if you check this example, you can see that both flutter_web_plugins and flutter_test have the source parameter since those packages depend on the flutter SDK

  flutter_test:
    dependency: "direct dev"
    description: flutter
    source: sdk
    version: "0.0.0"
  flutter_time_picker_spinner:
    dependency: "direct main"
    description:
      name: flutter_time_picker_spinner
      url: "https://pub.dartlang.org"
    source: hosted
    version: "2.0.0"
  flutter_web_plugins:
    dependency: transitive
    description: flutter
    source: sdk
    version: "0.0.0"

EDIT

And yes, all of those examples are captured as version 0.0.0 in the syft output.