fix(sbom): export bom-ref when converting a package to a component #7340
Conversation
afdesk
changed the title
pkg/sbom/cyclonedx/marshal_test.go
Outdated
| @@ -1607,7 +1607,7 @@ func TestMarshaler_MarshalReport(t *testing.T) { | |||
| Updated: "2022-12-20T10:15:00+00:00", | |||
| Affects: &[]cdx.Affects{ | |||
| { | |||
| Ref: "pkg:maven/com.fasterxml.jackson.core/[email protected]", | |||
| Ref: "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=jackson-databind-2.13.4.1.jar", | |||
There was a problem hiding this comment.
We don't include file paths in PURL anymore. If it remains somewhere, it should be deleted.
|
|
|
amf seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
We should add a new test to ensure original BOM-Refs are kept as-is. In the existing test, the input is SBOM, but the output is Trivy JSON. trivy/integration/sbom_test.go Lines 51 to 59 in 6a72dd4 |
The testcase is added now. |
integration/sbom_test.go
Outdated
| { | ||
| name: "scan SBOM into SBOM", | ||
| args: args{ | ||
| input: "testdata/fixtures/sbom/pywin32-cyclonedx.json", |
There was a problem hiding this comment.
Can we re-use the existing json, fluentd-multiple-lockfiles-cyclonedx.json? You can change this file to use UUID in BOM-Ref.
There was a problem hiding this comment.
the testcase is updated fluentd-multiple-lockfiles-cyclonedx.json.
I wanted to use fluentd-multiple-lockfiles.cdx.json.golden also, but this cdx result is a large, because it's result for fluentd-multiple-lockfiles.tar.gz. fluentd-multiple-lockfiles-cyclonedx.json is shorter.
so I've created a new golden file.
There was a problem hiding this comment.
@afdesk I may have found another issue (maybe for another PR):
File iD0PiatU contains 2 same packages with different BOMRefs.
Should we show 2 BOMrefs in affects array:
something like that:
"affects": [
{
"ref": "pkg:pypi/pywin32@227",
"versions": [
{
"version": "227",
"status": "affected"
}
]
}
{
"ref": "de3ojve0eoj0j0je",
"versions": [
{
"version": "227",
"status": "affected"
}
]
}
]
| "bom-ref": "3ff14136-e09f-4df9-80ea-000000000006", | ||
| "type": "operating-system", | ||
| "name": "debian", | ||
| "version": "10.2", |
There was a problem hiding this comment.
input and output bomrefs for OS are not equial:
|
Now Trivy builds new SBOM components from the result: Line 260 in 98e136e to keep existing BOM-refs we should look for this one (if report.BOM != nil) by name and save it. if we don't want to use this logic I can see 2 options:
@knqyf263 @DmitriyLewen wdyt? thanks |
I think we can try to use this way. Lines 120 to 136 in 98e136e
Do you mean BOMrefs for #2? Lines 160 to 173 in 98e136e
I am not sure about this. |
yes, for |
|
@DmitriyLewen could you take a look? thanks |
pkg/sbom/cyclonedx/unmarshal.go
Outdated
| if c.PackageURL != "" { | ||
| purl, err = packageurl.FromString(c.PackageURL) | ||
| purl = &packageurl.PackageURL{} |
There was a problem hiding this comment.
Looks like we can remove this
There was a problem hiding this comment.
it seems that no, we have to allocate memory
pkg/sbom/io/encode.go
Outdated
| @@ -283,6 +288,14 @@ func (e *Encoder) resultComponent(root *core.Component, r types.Result, osFound | |||
| component.Type = core.TypeApplication | |||
| } | |||
|
|
|||
| // try to look for BOM-ref for this component | |||
| for _, c := range e.components { | |||
| if c.Name == component.Name && c.Type == component.Type { | |||
There was a problem hiding this comment.
IIRC we correctly store BomRefs for the Root component and packages.
Do we need this check for all types? maybe we can do this check only for Application and OperatingSystem types?
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
|
I have refactored. @DmitriyLewen @afdesk Can you please take a look? |
pkg/sbom/io/encode.go
Outdated
| components := lo.MapKeys(report.BOM.Components(), func(value *core.Component, _ uuid.UUID) string { | ||
| return value.PkgIdentifier.BOMRef | ||
| }) |
There was a problem hiding this comment.
It doesn't work for SPDX.
I thought about using SPDX-ID as bom-ref (see #6907 (comment)).
There was a problem hiding this comment.
also I realized that there might be issues with non-Trivy CycloneDX reports:
Bom-Ref is an optional field - https://cyclonedx.org/docs/1.6/json/#components_items_bom-ref
So there might be a case where bom-ref doesn't exist - so we won't add vulnerabilities for these components.
There was a problem hiding this comment.
Bom-Ref is an optional field - https://cyclonedx.org/docs/1.6/json/#components_items_bom-ref
It's interesting. I was not aware of that. However, vulnerabilities.affects.ref must be BOM-Ref. Do you think we should generate BOM-Refs in this case?
https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_affects_items_ref
There was a problem hiding this comment.
It doesn't work for SPDX.
Hmm. I didn't think SPDX supports vulnerabilities, but I just remember we added support. I'll think about it.
#7213
There was a problem hiding this comment.
However, vulnerabilities.affects.ref must be BOM-Re
This is a weird case. I still don't understand why Bom-ref is not a required field.
Looks like we need to separate the possible cases:
- sbom result without vulnerabilities
vulnscanner is disabled - we can skip adding bom-ref to preserve the scanned sbom file as much as possible.- Trivy found no vulnerabilities - I'm not sure what we should do. I'm more inclined to think that we still need to add bom-refs (use the same logic when
vulnscanner is enabled) - sbom result with vulnerabilities -
vulnerabilities.affects.refis a required field => we need to populate this field => we need to use the samebom-reffor the linked component.
There was a problem hiding this comment.
Yes, I agree BOM-Ref should be required.
Looks like we need to separate the possible cases:
To keep things simple, IMO, it is better to generate a BOM-Ref if it's missing in CycloneDX that Trivy is scanning.
There was a problem hiding this comment.
since I don't have statistics on how often CycloneDX files without bom-refs are used - it's hard for me to make a choice.
I'm not against your decision. Let's do it this way and get feedback from users.
There was a problem hiding this comment.
I wanted to reuse the SBOM of the input as much as possible, but I found that my implementation did not work well when using --pkg-relationships or --pkg-types with trivy sbom.
| @@ -165,6 +176,7 @@ func TestSBOM(t *testing.T) { | |||
| // Run "trivy sbom" | |||
| runTest(t, osArgs, tt.golden, outputFile, types.Format(tt.args.format), runOptions{ | |||
| override: overrideFuncs(overrideSBOMReport, overrideUID, tt.override), | |||
| fakeUUID: tt.fakeUUID, | |||
There was a problem hiding this comment.
The serial number is generated by UUID. I think it's better to confirm it is generated as expected rather than ignoring it.
Signed-off-by: knqyf263 <[email protected]>
This reverts commit 67961d7.
This reverts commit 8b33309.
This reverts commit 0bb6387.
This reverts commit 418100c.
|
I reverted my changes. I'll open another PR. |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
…7340) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: amf <[email protected]> Co-authored-by: knqyf263 <[email protected]>
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Description
Reproduction Steps
Before:
After:
Related issues
Checklist