xeol unable to decode syft-json from versions of syft newer than v0.92

[bturner-cpacket]

What happened:
When running xeol over a syft generated json sbom from a version of Syft later than v0.92 you get this error:

% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
	* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

What you expected to happen:
When running xeol over a syft generated json sbom from a version of Syft v0.92 you do not receive this error:

% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary

How to reproduce it (as minimally and precisely as possible):

1. install Syft version 0.92 - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . v0.92.0
2. check your version - ./syft --version

ubuntu@ubuntu:~$ ./syft --version
syft 0.92.0

3. Generate a json SBOM using Syft v0.92 -

./syft dir:/ -o json>./sbom/v0.92-syft-filesystem-image-sbom.json

4. Run xeol against that sbom and verify it succeeds -

% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary

5. install latest Syft version (currently v1.4.1) - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .
6. check your version of syft - ./syft --version

ubuntu@ubuntu:~$ ./syft --version
syft 1.4.1

7. Generate a json SBOM using Syft v1.4.1 -

./syft dir:/ -o json>./sbom/v1.4.1-syft-filesystem-image-sbom.json

8. Run xeol against the sbom and verify failure -

% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
	* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

Anything else we need to know?:
I generated the SBOM's I tested against using Ubuntu 22.04 .ova from https://cloud-images.ubuntu.com/jammy/current/, however, I see this error when running across all our products. I would expect that simply updating the version of Syft from v.0.92 to something newer would solve this issue however I dont know if there are dependency versions for why its been held back on v0.92.

Environment:

• Output of xeol version:
• OS (e.g: cat /etc/os-release or similar):

% xeol version
Application:         xeol
Version:             0.9.15
BuildDate:           2024-04-27T01:08:08Z
GitCommit:           Homebrew
GitDescription:      Homebrew
Platform:            darwin/amd64
GoVersion:           go1.22.2
Compiler:            gc
Syft Version:        v0.92.0
Supported DB Schema: 1

[Lartsch]

Any update on this?

[tomersein]

it seems to occurs because of the fork this library is based on...
replace github.com/anchore/syft => github.com/noqcks/syft v0.0.0-20240109150718-1b286b681098

[bturner-cpacket]

That seems bad?

Why is this component dependent on go package from a fork of syft with no tags or releases instead of the official syft package?