search

xeol-io / xeol

A scanner for end-of-life (EOL) software and dependencies in container images, filesystems, and SBOMs
https://www.xeol.io/
Apache License 2.0
332 stars 18 forks source link

xeol unable to decode syft-json from versions of syft newer than v0.92 #346

Open bturner-cpacket opened 4 weeks ago

bturner-cpacket commented 4 weeks ago

What happened: When running xeol over a syft generated json sbom from a version of Syft later than v0.92 you get this error:

% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
    * failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

What you expected to happen: When running xeol over a syft generated json sbom from a version of Syft v0.92 you do not receive this error:

% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary

How to reproduce it (as minimally and precisely as possible): 1) install Syft version 0.92 - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . v0.92.0 2) check your version - ./syft --version

ubuntu@ubuntu:~$ ./syft --version
syft 0.92.0

3) Generate a json SBOM using Syft v0.92 - 

./syft dir:/ -o json>./sbom/v0.92-syft-filesystem-image-sbom.json

4) Run xeol against that sbom and verify it succeeds - 

% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary

5) install latest Syft version (currently v1.4.1) - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . 6) check your version of syft - ./syft --version

ubuntu@ubuntu:~$ ./syft --version
syft 1.4.1

7) Generate a json SBOM using Syft v1.4.1 - 

./syft dir:/ -o json>./sbom/v1.4.1-syft-filesystem-image-sbom.json

8) Run xeol against the sbom and verify failure - 

% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
    * failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

Anything else we need to know?: I generated the SBOM's I tested against using Ubuntu 22.04 .ova from https://cloud-images.ubuntu.com/jammy/current/, however, I see this error when running across all our products. I would expect that simply updating the version of Syft from v.0.92 to something newer would solve this issue however I dont know if there are dependency versions for why its been held back on v0.92.

Environment:

% xeol version
Application:         xeol
Version:             0.9.15
BuildDate:           2024-04-27T01:08:08Z
GitCommit:           Homebrew
GitDescription:      Homebrew
Platform:            darwin/amd64
GoVersion:           go1.22.2
Compiler:            gc
Syft Version:        v0.92.0
Supported DB Schema: 1
Lartsch commented 2 weeks ago

Any update on this?