Closed AnaisUrlichs closed 1 year ago
jspeed-meyers
commented
1 year ago IIUC, I think think this command could work:
./sbom-scorecard score --sbomtype cdx ../result.jsonAssuming that's correct, there should probably be a tutorial like suggested in issue #14. This would probably help.
AnaisUrlichs
commented
1 year ago Hmm I just tried that with the sbom type and I get the same error message:
./sbom-scorecard score --sbomtype cdx ../result.json
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x8 pc=0x10058393c]
goroutine 1 [running]:
opensource.ebay.com/sbom-scorecard/pkg/cdx.GetCycloneDXReport({0x16fa0b476, 0xe})
/Users/anaisurlichs/code/sbom-scorecard/pkg/cdx/cdx_report.go:119 +0x2bc
opensource.ebay.com/sbom-scorecard/cmd/sbom-scorecard/cmd.glob..func1(0x10076a8a0?, {0x140000a54a0?, 0x3?, 0x3?})
/Users/anaisurlichs/code/sbom-scorecard/cmd/sbom-scorecard/cmd/scorecard.go:70 +0x178
github.com/spf13/cobra.(*Command).execute(0x10076a8a0, {0x140000a5410, 0x3, 0x3})
/Users/anaisurlichs/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:920 +0x5b0
github.com/spf13/cobra.(*Command).ExecuteC(0x10076a5c0)
/Users/anaisurlichs/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:1044 +0x35c
github.com/spf13/cobra.(*Command).Execute(...)
/Users/anaisurlichs/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:968
opensource.ebay.com/sbom-scorecard/cmd/sbom-scorecard/cmd.Execute()
/Users/anaisurlichs/code/sbom-scorecard/cmd/sbom-scorecard/cmd/root.go:20 +0x28
main.main()
/Users/anaisurlichs/code/sbom-scorecard/cmd/sbom-scorecard/main.go:8 +0x1c(I'm not the maintainer, so I defer to @justinabrahms) But my investigation suggested that there was a bug in how the program checked for package/component hashes. Check out PR #17. If you run the code off of that branch, it should work.
On my machine I get:
sbom-scorecard git:(main) ✗ go run . score ../../../result.json
Guessed: cdx
15 total packages
93% have licenses.
0% have package digest.
93% have purls.
0% have CPEs.
Has creation info? true
Spec valid? true
==
Spec Compliance: 25/25
Package ID: 9/20 (93% have purls and 0% have CPEs)
Package Versions: 0/20
Package Licenses: 18/20
Creation Info: 15/15
Total points: 68/100 or 68%
justinabrahms
commented
1 year ago Since merging #17, this seems to be fixed.
$ trivy image --format cyclonedx --output result.json alpine:3.15
2023-01-06T09:20:26.996-0800 INFO "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
$ make build
go build -ldflags "-X github.com/eBay/sbom-scorecard.version=0.0.3-7-g5c76351 -X github.com/eBay/sbom-scorecard.commit=5c76351e337c1c305120c1c0c15a44a937c457af -X github.com/eBay/sbom-scorecard.date=2023-01-06T09:20:33-0800" -o bin/sbom-scorecard cmd/sbom-scorecard/main.go
$ ./bin/sbom-scorecard score result.json
Guessed: cdx
15 total packages
93% have licenses.
0% have package digest.
93% have purls.
0% have CPEs.
Has creation info? true
Spec valid? true
==
Spec Compliance: 25/25
Package ID: 9/20 (93% have purls and 0% have CPEs)
Package Versions: 0/20
Package Licenses: 18/20
Creation Info: 15/15
Total points: 68/100 or 68%
Hello,
I was playing around with this tool. As Trivy supports both SPDX and CycloneDX SBOMs; the SPDX scan worked as expected. However, the CycloneDX scan does not work and throws error messages.
Here is the Trivy docs on how the SBOM has been generated: https://aquasecurity.github.io/trivy/v0.35/docs/sbom/cyclonedx/
Command:
Here is the error message that I receive from the scan:
I also tried specifying the
--sbomtypeto CycloneDX but I must be providing the option/string wrongThe Trivy CycloneDX report pass the validator maintained by CycloneDX, thus, I don't think there is something wrong with the SBOM but I might be using this tool wrong.