search

sw360 / capycli

CaPyCLI - Python scripts for software license compliance automation with SW360
Other
13 stars 7 forks source link

Exception with debian packages #70

Closed cboehm-it closed 4 months ago

cboehm-it commented 5 months ago

We use CaPyCli also to clear debian packages. Some of them have url entries in the SBOM like: "pkg:deb/debian/xorg-server@2:1.20.4-1+deb10u5?arch=source&distro=industrial-os-2.4".

The following is working with CaPyCli v2.1.0 capycli bom map and resulting in SBOM with "purl": "pkg:deb/debian/xorg-server@2:1.20.4-1+deb10u5?arch=source&distro=industrial-os-2.4"

With CaPyCli > 2.1.0 you get a Traceback.

Traceback (most recent call last):
  File "/usr/lib/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/__main__.py", line 13, in <module>
    cli.main()
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/main/cli.py", line 28, in main
    app.run(argv)
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/main/application.py", line 159, in run
    self._run(argv)
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/main/application.py", line 140, in _run
    handle_bom.run_bom_command(self.options)
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/bom/handle_bom.py", line 83, in run_bom_command
    app5.run(args)
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/bom/map_bom.py", line 1067, in run
    new_bom = self.create_updated_bom(sbom, result)
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/bom/map_bom.py", line 779, in create_updated_bom
    newitem = self.update_bom_item(item.component, match_item)
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/bom/map_bom.py", line 690, in update_bom_item
    CycloneDxSupport.update_or_set_ext_ref(
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/common/capycli_bom_support.py", line 381, in update_or_set_ext_ref
    CycloneDxSupport.set_ext_ref(comp, type, comment, value)
  File "/home/cboehm/.local/lib/python3.10/site-packages/capycli/common/capycli_bom_support.py", line 360, in set_ext_ref
    url=XsUri(value),
  File "/home/cboehm/.local/lib/python3.10/site-packages/cyclonedx/model/__init__.py", line 421, in __init__
    raise InvalidUriException(
cyclonedx.exception.model.InvalidUriException: Supplied value 'xorg-server-debian-2%1.20.4-1+deb10u5.tar.gz' does not appear to be a valid URI.

I support you a minimal sbom for verification. some-component.json

tngraf commented 5 months ago

Fixed by #71

gernot-h commented 5 months ago

Hmm, I'm not able to reproduce the crash with your minimal sbom and according to what you fixed in #71, it seems to me that the crash was related to an invalid external reference, which is probably missing in your minimal example?

tngraf commented 5 months ago

@gernot-h I was able to reproduce it (owtherwise I won't have merged the fix 😃). The problem only occurs if you write an updated SBOM.

gernot-h commented 5 months ago

Ok, found the issue. This has nothing to do with the PackageURL, but with an attachment in our SW360 instance using a "%" in the filename:

grafik

So CaPyCli crashes when trying to set the external reference for this attachment. Seems we lack escaping of strings here. Will prepare an MR soon.