What happened:
When running xeol over a syft generated json sbom from a version of Syft later than v0.92 you get this error:
% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json --lookahead 1y -o table
✔ EOL DB [no update available]
1 error occurred:
* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string
What you expected to happen:
When running xeol over a syft generated json sbom from a version of Syft v0.92 you do not receive this error:
% xeol sbom:./v0.92-syft-filesystem-image-sbom.json --lookahead 1y -o table
✔ EOL DB [no update available]
✔ Scanned for EOL [1 eol matches]
NAME VERSION EOL DAYS EOL TYPE
python 3.8.10 2024-10-31 - binary
How to reproduce it (as minimally and precisely as possible):
1) install Syft version 0.92 - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . v0.92.0
2) check your version - ./syft --version
% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json --lookahead 1y -o table
✔ EOL DB [no update available]
1 error occurred:
* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string
Anything else we need to know?:
I generated the SBOM's I tested against using Ubuntu 22.04 .ova from https://cloud-images.ubuntu.com/jammy/current/, however, I see this error when running across all our products. I would expect that simply updating the version of Syft from v.0.92 to something newer would solve this issue however I dont know if there are dependency versions for why its been held back on v0.92.
What happened: When running xeol over a syft generated json sbom from a version of Syft later than v0.92 you get this error:
What you expected to happen: When running xeol over a syft generated json sbom from a version of Syft v0.92 you do not receive this error:
How to reproduce it (as minimally and precisely as possible): 1) install Syft version 0.92 -
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . v0.92.0
2) check your version -./syft --version
3) Generate a json SBOM using Syft v0.92 -
4) Run xeol against that sbom and verify it succeeds -
5) install latest Syft version (currently v1.4.1) -
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .
6) check your version of syft -./syft --version
7) Generate a json SBOM using Syft v1.4.1 -
8) Run xeol against the sbom and verify failure -
Anything else we need to know?: I generated the SBOM's I tested against using Ubuntu 22.04 .ova from https://cloud-images.ubuntu.com/jammy/current/, however, I see this error when running across all our products. I would expect that simply updating the version of Syft from v.0.92 to something newer would solve this issue however I dont know if there are dependency versions for why its been held back on v0.92.
Environment:
xeol version
:cat /etc/os-release
or similar):