djschleen
commented
1 month ago @ZheSun88 can you provide a full SBOM or a snippet of the components section for us to test with?
Closed ZheSun88 closed 1 month ago
djschleen
commented
1 month ago @ZheSun88 can you provide a full SBOM or a snippet of the components section for us to test with?
ZheSun88
commented
1 month ago hi @djschleen here is one example, with cyclonedx-maven-plugin:2.8.1
"tools": {
"components": [
{
"author": "OWASP Foundation",
"group": "org.cyclonedx",
"name": "cyclonedx-maven-plugin",
"version": "2.8.1",
"description": "CycloneDX Maven plugin",
"hashes": [
{
"alg": "MD5",
"content": "42c73e70d517b359d40b757c368d68fc"
},
{
"alg": "SHA-1",
"content": "c66892e13fb7ed7b8105cb5a280fa767d9e0bf12"
},
{
"alg": "SHA-256",
"content": "566681b9fcb1b0178e101cd899d2ea399e2039255e208a1a477bc079158dbdc5"
},
{
"alg": "SHA-512",
"content": "93d7b7421ee2d91f84930e75a52864952f26fee96114740dab477ee5f0e62b6448759ad5a160f1749650379f771941100c7fd84ed523b2407d2004b928998ecb"
},
{
"alg": "SHA-384",
"content": "04b0c71c1b79f77e723e7db96c72705f50172e94df5a7f28edbd96024b886fff65f61f37fc77abb1d12b0809813ae665"
},
{
"alg": "SHA3-384",
"content": "eafa68c2c25670f0b77c5db3acdfd97cfe97dfc50c47bba2103353327b049b9bbac0d8b621b1168200ddf21719048c73"
},
{
"alg": "SHA3-256",
"content": "2c07b6997ba0e40ca3b66e39cfcf101fcebdceaa19fce0baf12e013cf392466e"
},
{
"alg": "SHA3-512",
"content": "636f068843bad92259885cd4d427630619864c0172bd1b41df15c33a7d411767ab09cf2ff339a97fda149ee44c95a162fdf6cb12de19e2dc0250c2fadc80d882"
}
],
"type": "library"
}
]
},while with cyclonedx-maven-plugin: 2.8.0, it seems there is no components section
"tools": [
{
"vendor": "OWASP Foundation",
"name": "CycloneDX Maven plugin",
"version": "2.8.0",
"hashes": [
{
"alg": "MD5",
"content": "76ffec6a7ddd46b2b24517411874eb99"
},
{
"alg": "SHA-1",
"content": "5b0d5b41975b53be4799b9621b4af0cfc41d44b6"
},
{
"alg": "SHA-256",
"content": "6852aa0f4e42a2db745bab80e384951a6a65b9215d041081d675780999027e81"
},
{
"alg": "SHA-512",
"content": "417de20fcdcb11c9713bacbd57290d8e68037fdb4553fd31b8cb08bd760ad52dc65ea88ad4be15844ad3fd5a4d3e440d2f70326f2fe1e63ec78e059c9a883f8d"
},
{
"alg": "SHA-384",
"content": "5eb755c6492e7a7385fa9a1e1f4517875bcb834b2df437808a37a2d6f5285df428741762305980315a63fcef1406597d"
},
{
"alg": "SHA3-384",
"content": "0fe16a47cf7aab0b22251dafcc39939b68e8f1778093309d8d2060b51a08df445a8b8ed5a9561669faf2e55f907c76d8"
},
{
"alg": "SHA3-256",
"content": "3e5a1eb5ab7d0797498862794709ff8eaaa071fe4cc9ec77f52db7e2f97ef487"
},
{
"alg": "SHA3-512",
"content": "59281a3e29e76270d7f44b40b5b9f05e55f1ae3ec716d80add806f360940809e3813998ac7c5758043b8e248aed73b86e37dc506cdb4cde03c16bb617d8e5a3a"
}
]
}
],also attach a full json here. bom-2.8.0.json bom-2.8.1.json
djschleen
commented
1 month ago I ran both of your attached files with bomber 0.5.0 (will be released shortly) and have not reproduced any issue.
If there is no component section in an SBOM, nothing can be scanned because no PURLs will be found. the only thing bomber will use out of any SBOM is that PURL, and license info. Any other fields like name, description, version, etc. are not used.
ZheSun88
commented
1 month ago oh, Thanks for the checking. It seems we used version 0.4.7. the failure doesn't come after i have upgraded Bomber to 0.5.0.
thanks again
It seems bomber is not compatible with the json generated from cyclonedx-maven-plugin:2.8.1
in the new cyclonedx plugin, they have removed the deprecated feature of the CycloneDX schema, and now i am getting an error when run
bomber scanwith the new json file, while works fine with json generated from cyclonedx-maven-plugin:2.8.0cyclonedx-maven-plugin:2.8.1
cyclonedx-maven-plugin:2.8.0