search

devops-kung-fu / bomber

Scans Software Bill of Materials (SBOMs) for security vulnerabilities
Mozilla Public License 2.0
490 stars 43 forks source link

HTML report generation fails silently when processing entire folder containing an "empty" SBOM #208

Open henning-meinhardt opened 5 months ago

henning-meinhardt commented 5 months ago

Generation of HTML report for an entire directory fails silently when the directory contains an "empty" SBOM. I'm using latest version 0.4.8 and the following invocation: bomber scan --debug --output html ./temp

In temp folder I have multiple SBOMs (all json format, generated using the "CycloneDX Gradle plugin" in a multi-project gradle setup). Some of the SBOMs are from gradle projects that don't add any extra dependency, so the resulting SBOMs are "empty". As soon as Bomber encounters one of these empty SBOMs it stops processing without giving a meaningful error message. Also --debug output doesn't expose any useful information. When I remove all the "empty" SBOMs, Bomber works correctly.

An example of an "empty" SBOM :

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.5",
  "serialNumber" : "urn:uuid:339661e5-161c-4261-ae90-39e54cb9cd95",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2024-03-12T21:07:08Z",
    "tools" : [
      {
        "vendor" : "CycloneDX",
        "name" : "cyclonedx-gradle-plugin",
        "version" : "1.8.2"
      }
    ],
    "component" : {
      "group" : "xxxxxxx.xxx",
      "name" : "mailReceiver",
      "version" : "LOCAL-BUILD-SNAPSHOT",
      "purl" : "pkg:maven/xxxxxxx.xxx/mailReceiver@LOCAL-BUILD-SNAPSHOT?type=jar",
      "type" : "library",
      "bom-ref" : "pkg:maven/xxxxxxx.xxx/mailReceiver@LOCAL-BUILD-SNAPSHOT?type=jar"
    }
  },
  "dependencies" : [
    {
      "ref" : "pkg:maven/xxxxxxx.xxx/mailReceiver@LOCAL-BUILD-SNAPSHOT?type=jar",
      "dependsOn" : [ ]
    }
  ]
}
henning-meinhardt commented 5 months ago

The other "non-empty" SBOMs all have a "components" section together with the "dependencies" section. The empty one have only a "dependencies" section.

djschleen commented 5 months ago

Hey @henning-meinhardt, I appreciate the detail there. I'll take a look at it. I have been doing some work on the HTML reports with @mirxcle to add some AI generated vulnerability info so we may have a regression issue.