Closed mcasperson closed 1 year ago
@mcasperson Could you also kindly pass --src .
? It appears like a bug but if it works with this workaround then I can take a look at this leisurely.
@prabhu depscan --src $PWD
does work ok.
@mcasperson This bug is fixed with 2.2.1. Also noticed another bug related to hash comparison in vulnerability-db which is also fixed. Could you kindly retest and let me know how it looks for you?
@prabhu We made use of the Docker image at https://hub.docker.com/r/appthreat/dep-scan/tags to perform scans. I notice it hasn't been updated in some time, and so still has this error. Is the Docker image still something people should use, or has it been discontinued?
@mcasperson I can check the docker hub tomorrow. Could you try using the GitHub container registry version which does get released reliably?
docker pull ghcr.io/appthreat/dep-scan:v3.0.2
Running docker run --rm -v "$PWD:/app" ghcr.io/appthreat/dep-scan:v3.0.2 scan --bom "/app/bom.xml" --type bom --report_file /app/depscan.json
with the bom.xml file in the issue description still returns an error:
___ _____ _ _
/ _ \ |_ _| | | |
/ /_\ \_ __ _ __ | | | |__ _ __ ___ __ _| |_
| _ | '_ \| '_ \| | | '_ \| '__/ _ \/ _` | __|
| | | | |_) | |_) | | | | | | | | __/ (_| | |_
\_| |_/ .__/| .__/\_/ |_| |_|_| \___|\__,_|\__|
| | | |
|_| |_|
INFO [2022-11-20 23:16:24,474] ================================================================================
Traceback (most recent call last):
File "/usr/local/bin/scan", line 33, in <module>
sys.exit(load_entry_point('appthreat-depscan==3.0.2', 'console_scripts', 'scan')())
File "/usr/local/lib/python3.10/site-packages/appthreat_depscan-3.0.2-py3.10.egg/depscan/cli.py", line 303, in main
pkg_list = get_pkg_list(bom_file)
File "/usr/local/lib/python3.10/site-packages/appthreat_depscan-3.0.2-py3.10.egg/depscan/lib/bom.py", line 173, in get_pkg_list
pkgs.append(get_package(ele, licenses))
File "/usr/local/lib/python3.10/site-packages/appthreat_depscan-3.0.2-py3.10.egg/depscan/lib/bom.py", line 114, in get_package
pkg = parse_bom_ref(bom_ref, licenses)
File "/usr/local/lib/python3.10/site-packages/appthreat_depscan-3.0.2-py3.10.egg/depscan/lib/bom.py", line 72, in parse_bom_ref
name = name_ver[0]
IndexError: list index out of range
@mcasperson Is there a reason why you cannot let dep-scan generate the SBoM for this project or generate one using cdxgen? There seems to be some incompatibility issue with bom-ref
. All my OSS tools use package url format for the bom-ref attribute.
<component type="library" bom-ref="b4d95aac-a232-4e6d-b925-f31212d6d204"><name>cachetools</name><version>5.2.0</version><purl>pkg:pypi/cachetools@5.2.0</purl></component>
I am happy to add logic to skip such problematic components, but full compatibility with such non-standard implementations is a significant undertaking.
I think we got lucky since the fix turned out to be simple. Please try 3.0.3.
👍 3.0.3 does work with Python sboms.
As far as using another tool to generate the manifests, I had always assumed (perhaps niavely) that the schemas were well defined and validated, so I just picked the CycloneDX suite because it had tools for most languages. But it would be easy enough to select another tool for the job.
Please also test with cdxgen https://github.com/AppThreat/cdxgen and let me know how it looks for your apps.
When running depscan against a bom.xml file generated by CycloneDX for a Python project, the following stack trace is thrown:
How to reproduce:
git clone https://github.com/GoogleCloudPlatform/microservices-demo.git
cd microservices-demo/src/emailservice
cyclonedx-py -r --output bom.xml
depscan --bom "bom.xml" --type bom --report_file depscan.json
This is the sample bom.xml file: bom.zip