search

guacsec / guac

GUAC aggregates software security metadata into a high fidelity graph database.
https://guac.sh
Apache License 2.0
1.23k stars 158 forks source link

[bug] CycloneDX ingestion failing #1148

Open javixeneize opened 11 months ago

javixeneize commented 11 months ago

Hi

I am trying to ingest this sbom, https://raw.githubusercontent.com/CycloneDX/bom-examples/master/VEX/vex.json, which is an example from CycloneDX.

It identifies the format correctly, but during the ingestion it throws a sigsegv error

"level":"info","ts":1692024531.816571,"caller":"cmd/files.go:198","msg":"collector ended gracefully"} file:///sbom2.json {"level":"info","ts":1692024531.817419,"caller":"parser/parser.go:129","msg":"parsing document tree with root type: CycloneDX"} panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x2 addr=0x20 pc=0x105d05940]

goroutine 15 [running]: github.com/guacsec/guac/pkg/ingestor/parser/cyclonedx.(cyclonedxParser).getTopLevelPackage(0x14000276b40?, 0x0?) /Users/javi/Downloads/guac/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go:77 +0x20 github.com/guacsec/guac/pkg/ingestor/parser/cyclonedx.(cyclonedxParser).Parse(0x1400077a960, {0x1400029fd40?, 0x105db965d?}, 0x9?) /Users/javi/Downloads/guac/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go:61 +0xc8 github.com/guacsec/guac/pkg/ingestor/parser.parseHelper({0x106575688, 0x1400003b740}, 0x14000276b40) /Users/javi/Downloads/guac/pkg/ingestor/parser/parser.go:189 +0x80 github.com/guacsec/guac/pkg/ingestor/parser.(docTreeBuilder).parse(0x1400076ba10, {0x106575688, 0x1400003b740}, 0x140000dad40, 0x1400076b9d0?) /Users/javi/Downloads/guac/pkg/ingestor/parser/parser.go:160 +0x48 github.com/guacsec/guac/pkg/ingestor/parser.ParseDocumentTree({0x106575688, 0x1400003b740}, 0x140000dad40) /Users/javi/Downloads/guac/pkg/ingestor/parser/parser.go:130 +0x104 github.com/guacsec/guac/cmd/guacone/cmd.getIngestor.func1(0x106567980?) /Users/javi/Downloads/guac/cmd/guacone/cmd/files.go:255 +0x2c github.com/guacsec/guac/cmd/guacone/cmd.glob..func5.1.1() /Users/javi/Downloads/guac/cmd/guacone/cmd/files.go:169 +0x25c golang.org/x/sync/errgroup.(Group).Go.func1() /Users/javi/go/pkg/mod/golang.org/x/sync@v0.3.0/errgroup/errgroup.go:75 +0x5c created by golang.org/x/sync/errgroup.(*Group).Go /Users/javi/go/pkg/mod/golang.org/x/sync@v0.3.0/errgroup/errgroup.go:72 +0xa4

pxp928 commented 11 months ago

Hey @javixeneize thanks for opening the issue. This fails as we do not currently support the ingestion of VEX in CycloneDX format. The CDX parser needs to be updated/created for this to work. This is definitely on the roadmap to add this support! Would you be interested to work on updating the parser or creating a new one to ingest this?

Currently, we have an csaf parser for vex.

javixeneize commented 11 months ago

Hi

might want to help, but my skills in go are quite limited :( there’s no way this can be done in python, right?

pxp928 commented 11 months ago

Ah, no worries!

stevemenezes commented 11 months ago

@javixeneize can you please help with steps to reproduce this issue? Tried to save the contents in a cdx.json file but seeing this error - no document processor registered for type: UNKNOWN, format: UNKNOWN, document: UNKNOWN.

javixeneize commented 11 months ago

i just downloaded the file and ran ./bin/guacone collect files vex.json, the standard ingestion step

javixeneize commented 11 months ago

in the meantime, @pxp928 i have written in python a small tool that reads the cyclonedx format and ingests in neo4j with all the relations etc... If this is something you think that would fit in guac, happy to contribute here. I dont want to overload the market with yet another different tool that does pretty much the same as yours 😆

lumjjb commented 11 months ago

Hey @javixeneize , for now we are taking in collector projects (since they run as a binary), but if your tool can produce an output which is the GUAC gql statements, we could definitely mention it in the "friends of GUAC" in our repo!

Otherwise, it would be super awesome to also get CDX vex supported here, we are definitely looking towards adding that + openvex as well.

javixeneize commented 11 months ago

hi. i dont know whats the expected format but i can adapt it. where can i find information about it? The limitation here is what i mentioned above, i do python, not go, so i dont think i would be able to build your plugin in go

nathannaveen commented 11 months ago

@pxp928 @javixeneize If no one else is working on this, I would like to take this up?

javixeneize commented 11 months ago

im not part of guac, but based on what i have read i assume they are looking for support, so should be fine :)

stevemenezes commented 11 months ago

Thanks @javixeneize not sure why it isn't working for me currently, will investigate. Was planning to pick this up hence needed clarifications around the steps to reproduce it - @nathannaveen if that's okay with you?

Update - able to replicate the issue after I downloaded the file directly rather than copying the contents of it.

nathannaveen commented 11 months ago

@stevemenezes Of course

javixeneize commented 11 months ago

Hey @javixeneize , for now we are taking in collector projects (since they run as a binary), but if your tool can produce an output which is the GUAC gql statements, we could definitely mention it in the "friends of GUAC" in our repo!

Otherwise, it would be super awesome to also get CDX vex supported here, we are definitely looking towards adding that + openvex as well.

Hi

I just released the tool to visualise cyclonedx with neo4j - https://github.com/javixeneize/neo4cyclone, just in case this fits in "friends of guac" or even if it contains anything that you think that would fit in guac

Thanks

stevemenezes commented 11 months ago

This PR adds a parser for cyclonedx vex boms https://github.com/guacsec/guac/pull/1181 however it could be that a CDX file could be both - an SBOM and a VEX file.

Hence, we are planning to start with the CDX SBOM parser and call CDX VEX if needed from the CDX SBOM parser. This would be addressed in a followup PR, we can keep this issue open in the meantime.

pxp928 commented 11 months ago

Hi I just released the tool to visualise cyclonedx with neo4j - https://github.com/javixeneize/neo4cyclone, just in case this fits in "friends of guac" or even if it contains anything that you think that would fit in guac Thanks

Thanks @javixeneize! This is great work! Let us know if you are interested in adapting your tool to generate GUAC gql statements (ingest packages, dependencies, and vulnerability) and we can help as needed :)

javixeneize commented 11 months ago

it would be good, yes. where could i find doc about that?

maybe if not generating the ingestion, at least the visualisation and rendering from the data ingested

pxp928 commented 11 months ago

So we have a lot of information about the guac ontology, their definitions, and the actual graphQL API definitions which are used to communicate with GUAC. These would be a good place to start.