search

trustification / trustify

Apache License 2.0
8 stars 15 forks source link

Running the redhat-sbom importer generates an error while importing data #498

Closed carlosthe19916 closed 4 days ago

carlosthe19916 commented 1 week ago

Steps to reproduce:

{
    "items": [
        {
            "id": "e80ec858-8fa8-4f88-9ad5-e786d461efe5",
            "importer": "redhat-sbom",
            "creation": "2024-07-02T13:22:24.108607Z",
            "error": "Visitor error: Execution Error: error returned from database: insert or update on table \"package_relates_to_package\" violates foreign key constraint \"package_relates_to_package_sbom_id_left_node_id_fkey\"",
            "report": {
                "endDate": "2024-07-02T13:22:24.105880274Z",
                "messages": {
                    "Upload": {
                        "https://access.redhat.com/security/data/sbom/beta/spdx/rhel-8.8.0.json.bz2": [
                            {
                                "message": "upload failed: Execution Error: error returned from database: insert or update on table \"package_relates_to_package\" violates foreign key constraint \"package_relates_to_package_sbom_id_left_node_id_fkey\"",
                                "severity": "Error"
                            }
                        ]
                    }
                },
                "startDate": "2024-07-02T13:21:15.871547194Z",
                "numerOfItems": 2
            }
        }
    ],
    "total": 1
}

You can see there is an error insert or update on table \"package_relates_to_package\" violates foreign key constraint \"package_relates_to_package_sbom_id_left_node_id_fkey\"

bobmcwhirter commented 1 week ago

@ctron

ctron commented 1 week ago

I expect it's due to the broken SBOM:

Invalid reference 'SPDXRef-0aee0343-801b-4c5a-ae35-6c4a5fa163be' of relationship 'SPDXRef-0aee0343-801b-4c5a-ae35-6c4a5fa163be' -[ContainedBy]-> 'SPDXRef-2faf6cb8-246f-4ad9-964e-c5e161ad16d0'
[… plus many more …]
ctron commented 1 week ago

I agree that we need better error reporting though.

carlosthe19916 commented 1 week ago

I got the impression that the importers stops whenever the first error appears. When I import SBOMs it always stop at the 108 SBOM imported.

My concern was that, let's say we have 200 SBOMs to be ingested, and while ingesting the SBOM number 108 we found an error, then all the rest of SBOMs won't be ingested due to the error found.

But it might be just a coincidence and actually the redhat-sbom repository only has 108 SBOMs and there is nothing to be worried about

ctron commented 1 week ago

My expectation is that it keeps running. On subsequent runs, it will only process changes. According to the report, we have 557 SBOMs with 123 faulty ones.

ctron commented 1 week ago

Just did a check myself. I think you're right. It's aborting the run. I'll dig into that.