Daggerboard can't analyze its own SPDX

[eroussy]

Daggerboard installation method : docker

Description

I uploaded the SPDX-DAGGERBOARD-1-0-SBOM-20-5-2022-23-40.spdx provided in this repository on daggerboard. The SBOM is correctly analyzed, but after that, no other sbom will be analyzed. New uploaded files stay in the "started" state and are never analyzed.

Exact steps to reproduce :

• Launch daggerboard docker and connect to localhost
• upload SPDX-DAGGERBOARD-1-0-SBOM-20-5-2022-23-40.spdx
• upload another SBOM after it
• wait The second sbom never appears on the dashboard or in the sboms window.

Analysis

Here is the content of the sbom.log in the docker container :

2023-07-25 09:21:01 INFO-0-11dfb283c1f9dd29a2958ee4623afbf198290843: Beginning SBOM processing for file SPDX-DAGGERBOARD-1-0-SBOM-20-5-2022-23-40.spdx.
2023-07-25 09:21:01 INFO-00-11dfb283c1f9dd29a2958ee4623afbf198290843: Tag: PackageSupplier: Organization: is missing in file SPDX-DAGGERBOARD-1-0-SBOM-20-5-2022-23-40.spdx, 35 occurances. Fixed.
2023-07-25 09:24:01 /var/www/sbomscripts/sbom_process.pid already exists, exiting
2023-07-25 09:27:02 /var/www/sbomscripts/sbom_process.pid already exists, exiting
2023-07-25 09:30:01 /var/www/sbomscripts/sbom_process.pid already exists, exiting

I tried to reset the container and removing dagger-vol volume. I then uploaded SPDX-DAGGERBOARD-1-0-SBOM-20-5-2022-23-40.spdx again and launched the analysis manually :

root@872d71ff361f:/# /root/sbom/auto/sbom_process.py
ls: cannot access '*.xml': No such file or directory
{'DocumentName:': 'DAGGERBOARD-1.0-SBOM', 'Creator: Organization:': 'NewYork-Presbyterian Hospital', 'CreatorComment:': ''}
Traceback (most recent call last):
  File "/root/sbom/auto/sbom_process.py", line 625, in <module>
    c.execute("INSERT INTO daggerboard_package (sbomid_packages, packagename, packageversion, packagesupplier, packagecomment) VALUES (?,?,?,?,?)",(sbom_lrowid,v['PackageName:'],v['PackageVersion:'], v['PackageSupplier: Organization:'],v['PackageComment:']))
mariadb.DataError: Data too long for column 'packagesupplier' at row 1

It seems that the line 452 of SPDX-DAGGERBOARD-1-0-SBOM-20-5-2022-23-40.spdx contains a too long package supplier : "Organization: Andy Robinson, Robin Becker, the ReportLab team and the community".

Then, because sbom_process.py has failed, it does not remove the file /var/www/sbomscripts/sbom_process.pid. And this file blocks every other SBOM analysis.

[namtarb]

Hi, @eroussy, thank you for raising these issues. We are reworking the code to eliminate the pid problem and will include changes to improve field validation. We're planning to release these fixes in our next update, which is currently under development.

For the pid issue - this workaround can be applied when the sbom_process.pid error appears:

1. cd /var/www/sbomscripts/
2. rm sbom_process.pid
3. Resubmit the upload

For the field validation issue there are a few workarounds:

• The SBOM can be changed to reduce characters in the problematic field.
• The mariaDB character restrictions can be adjusted.

  1. cd /var/www/DaggerBoard
  2. Edit /var/www/DaggerBoard/daggerboard/models.py and adjust the max_length for the desired field
  3. (if using venv) source /venv/bin/activate
  4. python manage.py makemigrations
  5. python manage.py migrate
  6. systemctl restart apache2