error retrieving vulnerability data (400 Bad Request)

[ArwynFr]

I'm writing a SBOM files via Syft then merge them using cyclonedx-cli merge. The resulting file works fine with OSV but fails with ossindex when using bomber 0.4.8:

sbom.json

Also I think that bomber should not halt the process when an error occurs. Even a partial scan has value ; perhaps list the unscanned components in the output.

[djschleen]

@ArwynFr - taking a look...

[djschleen]

@ArwynFr that SBOM has a ton of invalid Purls in it...

I'm writing code to try to cleanse the purls.

[djschleen]

More info:

Only [16] in this screenshot is valid

[djschleen]

This will be better in 0.5.0 with the following info:

• Code has been added to ensure that PURLs are as clean as they can be
• OSV is fine with bad PURLS and returns nothing. OSSINDEX will return an error code (now displayed when the debug flag is set to true), but WILL IGNORE THE FULL CONTENTS OF THAT SPECIFIC BATCH and continue processing. OSSINDEX allows for 128 purls to be passed at a time. If an error gets through, that whole batch is ignored in the output. See the disclaimer at the end of the bomber STDOUT message

I'm not sure what tool created the SBOM provided in the ticket, or if it was a copy paste problem, but the text in there does bind properly to a schema, but Sonatype will error on the bad purl.