Stacktrace thrown when scanning cyclonedx SBOM created against Python project - Githubissues

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.

https://owasp.org/www-project-dep-scan/

MIT License

940 stars 94 forks source link

Stacktrace thrown when scanning cyclonedx SBOM created against Python project #61

Closed mcasperson closed 1 year ago

mcasperson commented 1 year ago

When running depscan against a bom.xml file generated by CycloneDX for a Python project, the following stack trace is thrown:

Traceback (most recent call last):
  File "/home/matthew/.local/bin/depscan", line 8, in <module>
    sys.exit(main())
  File "/home/matthew/.local/lib/python3.10/site-packages/depscan/cli.py", line 260, in main
    os.makedirs(reports_dir)
  File "/usr/lib/python3.10/os.py", line 225, in makedirs
    mkdir(name, mode)
FileNotFoundError: [Errno 2] No such file or directory: ''

How to reproduce:

Clone the Google Microservice demo: git clone https://github.com/GoogleCloudPlatform/microservices-demo.git
Open the email service (A Python project): cd microservices-demo/src/emailservice
Create the SBOM file: cyclonedx-py -r --output bom.xml
Scan the bom.xml file: depscan --bom "bom.xml" --type bom --report_file depscan.json

This is the sample bom.xml file: bom.zip

prabhu commented 1 year ago

@mcasperson Could you also kindly pass --src .? It appears like a bug but if it works with this workaround then I can take a look at this leisurely.

mcasperson commented 1 year ago

@prabhu depscan --src $PWD does work ok.

prabhu commented 1 year ago

@mcasperson This bug is fixed with 2.2.1. Also noticed another bug related to hash comparison in vulnerability-db which is also fixed. Could you kindly retest and let me know how it looks for you?

mcasperson commented 1 year ago

@prabhu We made use of the Docker image at https://hub.docker.com/r/appthreat/dep-scan/tags to perform scans. I notice it hasn't been updated in some time, and so still has this error. Is the Docker image still something people should use, or has it been discontinued?

prabhu commented 1 year ago

@mcasperson I can check the docker hub tomorrow. Could you try using the GitHub container registry version which does get released reliably?

docker pull ghcr.io/appthreat/dep-scan:v3.0.2

mcasperson commented 1 year ago

Running docker run --rm -v "$PWD:/app" ghcr.io/appthreat/dep-scan:v3.0.2 scan --bom "/app/bom.xml" --type bom --report_file /app/depscan.json with the bom.xml file in the issue description still returns an error:

  ___            _____ _                    _
 / _ \          |_   _| |                  | |
/ /_\ \_ __  _ __ | | | |__  _ __ ___  __ _| |_
|  _  | '_ \| '_ \| | | '_ \| '__/ _ \/ _` | __|
| | | | |_) | |_) | | | | | | | |  __/ (_| | |_
\_| |_/ .__/| .__/\_/ |_| |_|_|  \___|\__,_|\__|
      | |   | |
      |_|   |_|

INFO [2022-11-20 23:16:24,474] ================================================================================
Traceback (most recent call last):
  File "/usr/local/bin/scan", line 33, in <module>
    sys.exit(load_entry_point('appthreat-depscan==3.0.2', 'console_scripts', 'scan')())
  File "/usr/local/lib/python3.10/site-packages/appthreat_depscan-3.0.2-py3.10.egg/depscan/cli.py", line 303, in main
    pkg_list = get_pkg_list(bom_file)
  File "/usr/local/lib/python3.10/site-packages/appthreat_depscan-3.0.2-py3.10.egg/depscan/lib/bom.py", line 173, in get_pkg_list
    pkgs.append(get_package(ele, licenses))
  File "/usr/local/lib/python3.10/site-packages/appthreat_depscan-3.0.2-py3.10.egg/depscan/lib/bom.py", line 114, in get_package
    pkg = parse_bom_ref(bom_ref, licenses)
  File "/usr/local/lib/python3.10/site-packages/appthreat_depscan-3.0.2-py3.10.egg/depscan/lib/bom.py", line 72, in parse_bom_ref
    name = name_ver[0]
IndexError: list index out of range

prabhu commented 1 year ago

@mcasperson Is there a reason why you cannot let dep-scan generate the SBoM for this project or generate one using cdxgen? There seems to be some incompatibility issue with bom-ref. All my OSS tools use package url format for the bom-ref attribute.

<component type="library" bom-ref="b4d95aac-a232-4e6d-b925-f31212d6d204"><name>cachetools</name><version>5.2.0</version><purl>pkg:pypi/cachetools@5.2.0</purl></component>

I am happy to add logic to skip such problematic components, but full compatibility with such non-standard implementations is a significant undertaking.

prabhu commented 1 year ago

I think we got lucky since the fix turned out to be simple. Please try 3.0.3.

mcasperson commented 1 year ago

👍 3.0.3 does work with Python sboms.

As far as using another tool to generate the manifests, I had always assumed (perhaps niavely) that the schemas were well defined and validated, so I just picked the CycloneDX suite because it had tools for most languages. But it would be easy enough to select another tool for the job.

prabhu commented 1 year ago

Please also test with cdxgen https://github.com/AppThreat/cdxgen and let me know how it looks for your apps.