-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(sbom): export bom-ref when converting a package to a component #7340
Conversation
pkg/sbom/cyclonedx/marshal_test.go
Outdated
@@ -1607,7 +1607,7 @@ func TestMarshaler_MarshalReport(t *testing.T) { | |||
Updated: "2022-12-20T10:15:00+00:00", | |||
Affects: &[]cdx.Affects{ | |||
{ | |||
Ref: "pkg:maven/com.fasterxml.jackson.core/[email protected]", | |||
Ref: "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=jackson-databind-2.13.4.1.jar", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't include file paths in PURL anymore. If it remains somewhere, it should be deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, I'm removing it
amf seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
We should add a new test to ensure original BOM-Refs are kept as-is. In the existing test, the input is SBOM, but the output is Trivy JSON. trivy/integration/sbom_test.go Lines 51 to 59 in 6a72dd4
|
The testcase is added now. |
integration/sbom_test.go
Outdated
{ | ||
name: "scan SBOM into SBOM", | ||
args: args{ | ||
input: "testdata/fixtures/sbom/pywin32-cyclonedx.json", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we re-use the existing json, fluentd-multiple-lockfiles-cyclonedx.json
? You can change this file to use UUID in BOM-Ref.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the testcase is updated fluentd-multiple-lockfiles-cyclonedx.json
.
I wanted to use fluentd-multiple-lockfiles.cdx.json.golden
also, but this cdx result is a large, because it's result for fluentd-multiple-lockfiles.tar.gz
. fluentd-multiple-lockfiles-cyclonedx.json
is shorter.
so I've created a new golden file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@afdesk I may have found another issue (maybe for another PR):
File iD0PiatU
contains 2 same packages with different BOMRefs.
Should we show 2 BOMrefs in affects
array:
something like that:
"affects": [
{
"ref": "pkg:pypi/pywin32@227",
"versions": [
{
"version": "227",
"status": "affected"
}
]
}
{
"ref": "de3ojve0eoj0j0je",
"versions": [
{
"version": "227",
"status": "affected"
}
]
}
]
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000006", | ||
"type": "operating-system", | ||
"name": "debian", | ||
"version": "10.2", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
input and output bomrefs for OS are not equial:
trivy/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json
Lines 107 to 110 in bfdf5cf
"bom-ref": "353f2470-9c8b-4647-9d0d-96d893838dc8", | |
"type": "operating-system", | |
"name": "debian", | |
"version": "10.2", |
Now Trivy builds new SBOM components from the result: Line 260 in 98e136e
to keep existing BOM-refs we should look for this one (if report.BOM != nil) by name and save it. if we don't want to use this logic I can see 2 options:
@knqyf263 @DmitriyLewen wdyt? thanks |
I think we can try to use this way. Lines 120 to 136 in 98e136e
Do you mean BOMrefs for #2? Lines 160 to 173 in 98e136e
I am not sure about this. |
yes, for |
@DmitriyLewen could you take a look? thanks |
pkg/sbom/cyclonedx/unmarshal.go
Outdated
if c.PackageURL != "" { | ||
purl, err = packageurl.FromString(c.PackageURL) | ||
purl = &packageurl.PackageURL{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we can remove this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems that no, we have to allocate memory
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
pkg/sbom/io/encode.go
Outdated
@@ -283,6 +288,14 @@ func (e *Encoder) resultComponent(root *core.Component, r types.Result, osFound | |||
component.Type = core.TypeApplication | |||
} | |||
|
|||
// try to look for BOM-ref for this component | |||
for _, c := range e.components { | |||
if c.Name == component.Name && c.Type == component.Type { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC we correctly store BomRefs for the Root
component and packages.
Do we need this check for all types? maybe we can do this check only for Application
and OperatingSystem
types?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@knqyf263 take a look, when you have time
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
I have refactored. @DmitriyLewen @afdesk Can you please take a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@knqyf263 left comments
pkg/sbom/io/encode.go
Outdated
components := lo.MapKeys(report.BOM.Components(), func(value *core.Component, _ uuid.UUID) string { | ||
return value.PkgIdentifier.BOMRef | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't work for SPDX.
I thought about using SPDX-ID as bom-ref (see #6907 (comment)).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also I realized that there might be issues with non-Trivy CycloneDX reports:
Bom-Ref
is an optional field - https://cyclonedx.org/docs/1.6/json/#components_items_bom-ref
So there might be a case where bom-ref
doesn't exist - so we won't add vulnerabilities for these components.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bom-Ref is an optional field - https://cyclonedx.org/docs/1.6/json/#components_items_bom-ref
It's interesting. I was not aware of that. However, vulnerabilities.affects.ref
must be BOM-Ref. Do you think we should generate BOM-Refs in this case?
https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_affects_items_ref
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't work for SPDX.
Hmm. I didn't think SPDX supports vulnerabilities, but I just remember we added support. I'll think about it.
#7213
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, vulnerabilities.affects.ref must be BOM-Re
This is a weird case. I still don't understand why Bom-ref
is not a required field.
Looks like we need to separate the possible cases:
- sbom result without vulnerabilities
vuln
scanner is disabled - we can skip adding bom-ref to preserve the scanned sbom file as much as possible.- Trivy found no vulnerabilities - I'm not sure what we should do. I'm more inclined to think that we still need to add bom-refs (use the same logic when
vuln
scanner is enabled) - sbom result with vulnerabilities -
vulnerabilities.affects.ref
is a required field => we need to populate this field => we need to use the samebom-ref
for the linked component.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I agree BOM-Ref should be required.
Looks like we need to separate the possible cases:
To keep things simple, IMO, it is better to generate a BOM-Ref if it's missing in CycloneDX that Trivy is scanning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since I don't have statistics on how often CycloneDX files without bom-refs are used - it's hard for me to make a choice.
I'm not against your decision. Let's do it this way and get feedback from users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to reuse the SBOM of the input as much as possible, but I found that my implementation did not work well when using --pkg-relationships
or --pkg-types
with trivy sbom
.
@@ -165,6 +176,7 @@ func TestSBOM(t *testing.T) { | |||
// Run "trivy sbom" | |||
runTest(t, osArgs, tt.golden, outputFile, types.Format(tt.args.format), runOptions{ | |||
override: overrideFuncs(overrideSBOMReport, overrideUID, tt.override), | |||
fakeUUID: tt.fakeUUID, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The serial number is generated by UUID. I think it's better to confirm it is generated as expected rather than ignoring it.
Signed-off-by: knqyf263 <[email protected]>
This reverts commit 67961d7.
This reverts commit 8b33309.
This reverts commit 0bb6387.
This reverts commit 418100c.
I reverted my changes. I'll open another PR. |
…7340) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: amf <[email protected]> Co-authored-by: knqyf263 <[email protected]>
Description
Reproduction Steps
Before:
After:
Related issues
Checklist