Open damian-wnukowski-worldline opened 1 month ago
What happened: I have a sbom.xml generated by checkov library and it's missing <components> xml tag. This command fails with such sbom.xml:
<components>
xeol --fail-on-eol-found --lookahead 1m sbom.xml -vv [0000] INFO xeol version: 0.9.15 [0000] DEBUG config: log: quiet: false level: debug file: "" dev: profile: none output: [] file: "" distro: "" check-for-app-update: true platform: "" search: scope: Squashed unindexed-archives: false indexed-archives: true db: cache-dir: /home/dwnukowski/.cache/xeol/db update-url: https://data.xeol.io/xeol/databases/listing.json ca-cert: "" auto-update: true validate-by-hash-on-start: false validate-age: true max-allowed-built-age: 120h0m0s lookahead: 1m fail-on-eol-found: true api-key: "" project-name: "" image-path: Dockerfile commit-hash: "" match: packages: using-purls: true distro: using-cpes: true registry: insecure-skip-tls-verify: false insecure-use-http: false auth: [] ca-cert: "" name: "" default-image-pull-source: "" [0000] DEBUG no new xeol update available [0000] DEBUG gathering packages [0000] DEBUG Fetching organization policies [0000] DEBUG loading DB [0000] DEBUG looking for updates on eol database [0000] DEBUG checking for available database updates [0000] DEBUG found database update candidate: Listing(url=https://data.xeol.io/xeol/databases/xeol-db_v1_2024-05-10T03:51:15.748131Z.tar.gz) [0000] DEBUG existing database is already up to date [0000] DEBUG no database update available 1 error occurred: * failed to catalog: unable to decode sbom: unable to identify format
even though sbom schema says it's optional, so the sbom should be valid and parsed properly: https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.4.xsd#L369
What you expected to happen: xeol not ending with decoding error when a valid sbom.xml is provided
How to reproduce it (as minimally and precisely as possible): Use command specified above on this sbom file:
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:5c6fb934-a145-4b58-b779-567374571b13" version="1"> <metadata> <timestamp>2024-05-10T10:03:40.878180+00:00</timestamp> <tools> <tool> <vendor>CycloneDX</vendor> <name>cyclonedx-python-lib</name> <version>6.4.1</version> <externalReferences> <reference type="build-system"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url> </reference> <reference type="distribution"> <url>https://pypi.org/project/cyclonedx-python-lib/</url> </reference> <reference type="documentation"> <url>https://cyclonedx-python-library.readthedocs.io/</url> </reference> <reference type="issue-tracker"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url> </reference> <reference type="license"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url> </reference> <reference type="release-notes"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url> </reference> <reference type="vcs"> <url>https://github.com/CycloneDX/cyclonedx-python-lib</url> </reference> <reference type="website"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url> </reference> </externalReferences> </tool> <tool> <vendor>bridgecrew</vendor> <name>checkov</name> <version>UNKNOWN</version> <externalReferences> <reference type="build-system"> <url>https://github.com/bridgecrewio/checkov/actions</url> </reference> <reference type="distribution"> <url>https://pypi.org/project/checkov/</url> </reference> <reference type="documentation"> <url>https://www.checkov.io/1.Welcome/What%20is%20Checkov.html</url> </reference> <reference type="issue-tracker"> <url>https://github.com/bridgecrewio/checkov/issues</url> </reference> <reference type="license"> <url>https://github.com/bridgecrewio/checkov/blob/master/LICENSE</url> </reference> <reference type="social"> <url>https://twitter.com/bridgecrewio</url> </reference> <reference type="vcs"> <url>https://github.com/bridgecrewio/checkov</url> </reference> <reference type="website"> <url>https://www.checkov.io/</url> </reference> </externalReferences> </tool> </tools> </metadata> </bom>
Anything else we need to know?: That's all I think. Environment:
xeol version
cat /etc/os-release
cat /etc/os-release NAME="Fedora Linux" VERSION="39 (Container Image)" ID=fedora VERSION_ID=39 VERSION_CODENAME="" PLATFORM_ID="platform:f39" PRETTY_NAME="Fedora Linux 39 (Container Image)" ANSI_COLOR="0;38;2;60;110;180" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:39" DEFAULT_HOSTNAME="fedora" HOME_URL="https://fedoraproject.org/" DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/" SUPPORT_URL="https://ask.fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=39 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=39 SUPPORT_END=2024-11-12 VARIANT="Container Image" VARIANT_ID=container
What happened: I have a sbom.xml generated by checkov library and it's missing
<components>
xml tag. This command fails with such sbom.xml:even though sbom schema says it's optional, so the sbom should be valid and parsed properly: https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.4.xsd#L369
What you expected to happen: xeol not ending with decoding error when a valid sbom.xml is provided
How to reproduce it (as minimally and precisely as possible): Use command specified above on this sbom file:
Anything else we need to know?: That's all I think. Environment:
xeol version
: 0.9.15cat /etc/os-release
or similar): Fedora running on WSL: