search

spdx / ntia-conformance-checker

Check SPDX SBOM for NTIA minimum elements
Apache License 2.0
55 stars 20 forks source link

pipx install ntia-conformance-checker and scan resuilts in python error #196

Closed msmeissn closed 3 months ago

msmeissn commented 4 months ago

ntia-checker --file ~/sbom.spdx

Is this SBOM NTIA minimum element conformant? False

The provided document couldn't be parsed, check for ntia minimum elements couldn't be performed.

The following SPDXParsingError was raised:

Error while constructing CreationInfo: CreationInfo.init() missing 6 required positional arguments: 'spdx_version', 'spdx_id', 'name', 'document_namespace', 'creators', and 'created'

jspeed-meyers commented 4 months ago

@msmeissn: Thank you for the bug report. Can you please provide the SBOM you used that resulted in this error?

msmeissn commented 4 months ago

sbom.txt

jspeed-meyers commented 3 months ago

@msmeissn: Thank you for the explanatory text in sbom.txt. Could you please provide the actual SBOM you scanned that resulted in this bug report?

I tried to follow the instructions, but I do not have the public key mentioned in the text. I therefore got this error:

cosign verify-attestation  --type spdxjson --key /usr/share/pki/containers/suse-container-key.pem registry.suse.com/suse/sle15@sha256:c8aeb5a7662c38716d303fb854c5baa2329afccb4637c0f3c7c44b971181fdbb | jq '.payload | @base64d |  fromjson | .predicate'
...
main.go:74: error during command execution: loading public key: open /usr/share/pki/containers/suse-container-key.pem: no such file or directory
msmeissn commented 3 months ago

i attached the wrong sbom, sorry. trying again sbom.txt

jspeed-meyers commented 3 months ago

@msmeissn: Again, thank you for the bug report. I tried to replicate the error but couldn't yet.

First, here is the version of ntia-conformance-checker I used:

$ ntia-checker --version
2.0.0

Next, I ran this command:

$ ntia-checker --file ~/Desktop/sbom.json > ~/Desktop/output.txt

I have attached the output.txt file that the above command created: output.txt

The errors I get, which are really instances of this SPDX document not being valid according to the SPDX specification, don't include a mention of Error while constructing CreationInfo:.

Here's the first 20 lines of the error output:

$ cat output.txt | head -n 20

Is this SBOM NTIA minimum element conformant? False

Individual elements                            | Status
-------------------------------------------------------
All component names provided?                  | True
All component versions provided?               | True
All component identifiers provided?            | True
All component suppliers provided?              | False
SBOM author name provided?                     | True
SBOM creation timestamp provided?              | True
Dependency relationships provided?             | False

The provided document is not valid according to the SPDX specification. The following errors were found:

Unrecognized license reference: GPL-2.0+. license_expression must only use IDs from the license list or extracted licensing info, but is: GPL-2.0+
Unrecognized license reference: GPL-2.0+. license_expression must only use IDs from the license list or extracted licensing info, but is: GPL-2.0+
Unrecognized license reference: GFDL-1.2. license_expression must only use IDs from the license list or extracted licensing info, but is: GFDL-1.2 AND GPL-3.0+
Unrecognized license reference: GPL-3.0+. license_expression must only use IDs from the license list or extracted licensing info, but is: GFDL-1.2 AND GPL-3.0+
Unrecognized license reference: GFDL-1.2. license_expression must only use IDs from the license list or extracted licensing info, but is: GFDL-1.2 AND GPL-3.0+

Any thoughts or ideas?

msmeissn commented 3 months ago

i think it might be a python dependency issue for me, it seems to pull in some incompatible spdx module.

the venv has spdx_tools-0.8.2.

ls ~/.local/share/pipx/venvs/ntia-conformance-checker/lib/python3.11/site-packages/ beartype license_expression-30.3.0.dist-info PyYAML-6.0.2.dist-info uritools beartype-0.18.5.dist-info ntia_conformance_checker rdflib uritools-4.0.3.dist-info boolean ntia_conformance_checker-2.0.0.dist-info rdflib-7.0.0.dist-info xmltodict-0.13.0.dist-info boolean.py-4.0.dist-info pipx_shared.pth semantic_version xmltodict.py click ply semantic_version-2.10.0.dist-info _yaml click-8.1.7.dist-info ply-3.11.dist-info six-1.16.0.dist-info yaml isodate pycache six.py isodate-0.6.1.dist-info pyparsing spdx_tools license_expression pyparsing-3.1.2.dist-info spdx_tools-0.8.2.dist-info

which has:

@dataclass_with_properties class CreationInfo: spdx_version: str spdx_id: str name: str document_namespace: str creators: List[Actor] created: datetime creator_comment: Optional[str] = None data_license: str = "CC0-1.0" external_document_refs: List[ExternalDocumentRef] = field(default_factory=list) license_list_version: Optional[Version] = None document_comment: Optional[str] = None

def __init__(
    self,
    spdx_version: str,
    spdx_id: str,
    name: str,
    document_namespace: str,
    creators: List[Actor],
    created: datetime,
    creator_comment: Optional[str] = None,
    data_license: str = "CC0-1.0",
    external_document_refs: List[ExternalDocumentRef] = None,
    license_list_version: Optional[Version] = None,
    document_comment: Optional[str] = None,
):
jspeed-meyers commented 3 months ago

Hmmm, the current pyproject.toml file pins spdx-tools at 0.8.2. See here. 🤔 I'd be curious to know the installation steps you took and the platform you're using. Maybe that would help with debugging?

msmeissn commented 3 months ago

basically just "pipx install ntia-conformance-checker"

I am working on openSUSE Tumbleweed.

$ pipx install ntia-conformance-checker installed package ntia-conformance-checker 2.0.0, installed using Python 3.11.9 These apps are now globally available

jspeed-meyers commented 3 months ago

Hmmm....

Okay, I used pipx:

pipx install ntia-conformance-checker

I check the version and it's the most recent version on PyPI:

$ ntia-checker --version                       
2.0.0

And then I run the command:

$ ntia-checker --file ~/Desktop/sbom.json > ~/Desktop/output.txt

And I get this output: output.txt

I don't see the same error though:

$ cat ~/Desktop/output.txt| head -n 20

Is this SBOM NTIA minimum element conformant? False

Individual elements                            | Status
-------------------------------------------------------
All component names provided?                  | True
All component versions provided?               | True
All component identifiers provided?            | True
All component suppliers provided?              | False
SBOM author name provided?                     | True
SBOM creation timestamp provided?              | True
Dependency relationships provided?             | False

The provided document is not valid according to the SPDX specification. The following errors were found:

Unrecognized license reference: GPL-2.0+. license_expression must only use IDs from the license list or extracted licensing info, but is: GPL-2.0+
Unrecognized license reference: GPL-2.0+. license_expression must only use IDs from the license list or extracted licensing info, but is: GPL-2.0+
Unrecognized license reference: GFDL-1.2. license_expression must only use IDs from the license list or extracted licensing info, but is: GFDL-1.2 AND GPL-3.0+
Unrecognized license reference: GPL-3.0+. license_expression must only use IDs from the license list or extracted licensing info, but is: GFDL-1.2 AND GPL-3.0+
Unrecognized license reference: GFDL-1.2. license_expression must only use IDs from the license list or extracted licensing info, but is: GFDL-1.2 AND GPL-3.0+

I'm on MacOS though, Sonoma 14.5.

Are you still getting the same error??

jspeed-meyers commented 3 months ago

@msmeissn -- I'm going to close for now, but if there is still an issue, please do re-open it! I want to help, I swear!