Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Download location is not a valid URI #3696

Open
stgrace opened this issue Feb 28, 2025 · 0 comments · May be fixed by #3697
Open

Download location is not a valid URI #3696

stgrace opened this issue Feb 28, 2025 · 0 comments · May be fixed by #3697
Labels
bug Something isn't working

Comments

@stgrace
Copy link

stgrace commented Feb 28, 2025

What happened:

Syft created an SBOM with packages containing an invalid URI for downloadLocation. This happens with npm packages using spdx spec spdx-json

Example incompliant package:

{
      "name": "@isaacs/cliui",
      "SPDXID": "SPDXRef-Package-npm--isaacs-cliui-7026ea92955de2ad",
      "versionInfo": "8.0.2",
      "supplier": "Person: Ben Coe ([email protected])",
      "originator": "Person: Ben Coe ([email protected])",
      "downloadLocation": "yargs/cliui",
      "filesAnalyzed": false,
      "sourceInfo": "acquired package info from installed node module manifest file: /usr/local/lib/node_modules/npm/node_modules/@isaacs/cliui/package.json",
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "ISC",
      "copyrightText": "NOASSERTION",
      "description": "easily create complex multi-column command-line-interfaces",
      "externalRefs": [
        {
          "referenceCategory": "SECURITY",
          "referenceType": "cpe23Type",
          "referenceLocator": "cpe:2.3:a:\\@isaacs\\/cliui:\\@isaacs\\/cliui:8.0.2:*:*:*:*:*:*:*"
        },
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:npm/%40isaacs/[email protected]"
        }
      ]
    }

What you expected to happen:

A package with a downloadLocation compliant to the spdx spec.

Steps to reproduce the issue:

syft scan redis/redisinsight:2.60.0 -o spdx-json=scan.json

Environment:

  • Output of syft version: v1.20.0
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.5 LTS
@stgrace stgrace added the bug Something isn't working label Feb 28, 2025
@stgrace stgrace linked a pull request Feb 28, 2025 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add downloadLocation URI validation stgrace/syft
1 participant
@stgrace