Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid CycloneDX JSON generated for specific images like "eclipse-temurin:17-jre-alpine" #1877

Closed
Parisha7 opened this issue Jun 15, 2023 · 0 comments · Fixed by #1879
Closed

Invalid CycloneDX JSON generated for specific images like "eclipse-temurin:17-jre-alpine" #1877

Parisha7 opened this issue Jun 15, 2023 · 0 comments · Fixed by #1879
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@Parisha7
Copy link

Parisha7 commented Jun 15, 2023
edited
Loading

What happened:
We had observed an error when trying to attest an SBOM file containing an image "eclipse-temurin:17-jre-alpine" while upgrading from syft version 0.80.0 to 0.81.0.
However, later after investigation, we found out that the generated SBOM file was at fault as one section containing "libretls" dependency did not contains any licenses, as the licenses coming were empty. If we would delete the empty licenses in the SBOM manually, then it would work fine.
Snippet for the same section is attached in the last.
Using cyclonedx-cli 0.24.0, I found out that it was invalid.

Unfortunately the tool does not give any more information that what was wrong in the SBOM file.

Unable to validate against any JSON schemas.
BOM is not valid.

What you expected to happen:
I would have expected the SBOM to be valid, no matter the input image.
We generate SBOMs on a large scale with Syft, and this is the only problem we have encountered with one so far.

Steps to reproduce the issue:
Generate the SBOM using below command and validate using cyclonedx-cli.

 syft -q eclipse-temurin:17-jre-alpine -o cyclonedx-json --file alpine_sbom14.json
 
 .\cyclonedx-win-x86.exe validate --input-file .\alpine_sbom14.json

Anything else we need to know?:
Unfortunately, I must not share the broken SBOM file with the outside world.

I look forward to your answers!

Environment:

  • Output of syft version: 0.81.0
  • OS (e.g: cat /etc/os-release or similar): Linux
{
		"bom-ref": "pkg:apk/alpine/libretls@3.7.0-r1?arch=x86_64&distro=alpine-3.18.0&package-id=71a549b8c070ffb2",
		"type": "library",
		"publisher": "AriadneConill<ariadne@dereferenced.org>",
		"name": "libretls",
		"version": "3.7.0-r1",
		"description": "portoflibtlsfromlibressltoopenssl",
		"licenses": [{}],
		"cpe": "cpe:2.3:a:libretls:libretls:3.7.0-r1:*:*:*:*:*:*:*",
		"purl": "pkg:apk/alpine/libretls@3.7.0-r1?arch=x86_64&distro=alpine-3.18.0",
		"externalReferences": [{
			"url": "https://git.causal.agency/libretls/",
			"type": "distribution"
		}]
	}
@Parisha7 Parisha7 added the bug Something isn't working label Jun 15, 2023
@kzantow kzantow self-assigned this Jun 15, 2023
@kzantow kzantow mentioned this issue Jun 15, 2023
Merged
This was referenced Jun 29, 2023
Closed
Closed
Merged
Closed
Closed
Closed
Open
Closed
Closed
This was referenced Jul 12, 2023
Open
Closed
Closed
Open
Closed
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: only output valid cyclonedx license choices kzantow-anchore/syft
2 participants
@kzantow @Parisha7