Open joaquinricci opened 3 weeks ago
Thanks for the report @joaquinricci, do all of these have source: sdk
?
Hey @kzantow , thanks for the ⚡ reply.
Thanks for the report @joaquinricci, do all of these have
source: sdk
?
I believe the answer is yes, I couldn't find the pubspec.lock
documentation, but according to this dart documentation about sdks, aside from dart
itself, flutter is currently the only other sdk.
Now, if you check this example, you can see that both flutter_web_plugins
and flutter_test
have the source parameter since those packages depend on the flutter SDK
flutter_test:
dependency: "direct dev"
description: flutter
source: sdk
version: "0.0.0"
flutter_time_picker_spinner:
dependency: "direct main"
description:
name: flutter_time_picker_spinner
url: "https://pub.dartlang.org"
source: hosted
version: "2.0.0"
flutter_web_plugins:
dependency: transitive
description: flutter
source: sdk
version: "0.0.0"
EDIT
And yes, all of those examples are captured as version 0.0.0 in the syft
output.
What happened:
Trivy tool had the same issue which was raised here.
We are using syft to generate SBOMs for our Dart/Flutter project. Syft incorrectly generates a dependency for flutter@0.0.0, ignoring the sdk setting.
Corresponding part of the pubspec.lock:
As you can see it specifies source as sdk.
Further down in the pubspec.lock file there is more information on the sdk version:
What you expected to happen:
The generated SBOM should not contain the incorrect (but unfortunately valid) version 0.0.0.
Steps to reproduce the issue:
Our project code is private, but the problem exists in any Flutter project.
You can reproduce the problem easily by running
syft scan dir:./ -o spdx-json=sbom.spdx.json
on this project:https://github.com/KhoaSuperman/findseat/
Anything else we need to know?:
One more thing, dart ain't been added to the SBOM either. So it is not only flutter that fails due to the actuall version been in the
sdks
zone but also dart is not being captured.Environment:
syft version
: 1.11.1cat /etc/os-release
or similar): Sonoma 14.1