Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generating duplicate in relationships in CycloneDX #2062

Closed
ShuP1 opened this issue Aug 25, 2023 · 2 comments · Fixed by #2063
Closed

Generating duplicate in relationships in CycloneDX #2062

ShuP1 opened this issue Aug 25, 2023 · 2 comments · Fixed by #2063
Assignees
@kzantow
Labels
bug Something isn't working format:cyclonedx CycloneDX related enhancement or bug

Comments

@ShuP1
Copy link

ShuP1 commented Aug 25, 2023

What happened:

Syft produces invalid CycloneDX SBOM at least for apkdb-cataloger cataloger.
Due to duplicated refs in dependencies

CycloneDX JSON Reference #dependencies states:

All items must be unique

This rule is enforced by https://github.com/CycloneDX/cyclonedx-cli

What you expected to happen:

Syft produces a valid SBOM.

Steps to reproduce the issue:

> syft packages alpine:latest -o cyclonedx-json > sbom.json
> cyclonedx-cli validate --input-file sbom.json
Unable to validate against any JSON schemas.
BOM is not valid.
> cyclonedx-cli validate --input-file sbom.json --input-version v1_4
Validating JSON BOM...
Validation failed: Found duplicates at the following index pairs: "(2, 4)"
#/properties/dependencies/uniqueItems
BOM is not valid.

Anything else we need to know?:

/* ... */
"dependencies": [
    {
      "ref": "pkg:apk/alpine/alpine-baselayout@3.4.3-r1?arch=x86_64&distro=alpine-3.18.3&package-id=4457aba38f428cff",
      "dependsOn": [
        "pkg:apk/alpine/alpine-baselayout-data@3.4.3-r1?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.18.3&package-id=afce4445f1c5ffeb"
      ]
    },
    {
      "ref": "pkg:apk/alpine/alpine-baselayout@3.4.3-r1?arch=x86_64&distro=alpine-3.18.3&package-id=4457aba38f428cff",
      "dependsOn": [
        "pkg:apk/alpine/busybox-binsh@1.36.1-r2?arch=x86_64&upstream=busybox&distro=alpine-3.18.3&package-id=337ecb49f16db0b4"
      ]
    },
/* ... */

Should be:

/* ... */
"dependencies": [
    {
      "ref": "pkg:apk/alpine/alpine-baselayout@3.4.3-r1?arch=x86_64&distro=alpine-3.18.3&package-id=4457aba38f428cff",
      "dependsOn": [
        "pkg:apk/alpine/alpine-baselayout-data@3.4.3-r1?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.18.3&package-id=afce4445f1c5ffeb",
        "pkg:apk/alpine/busybox-binsh@1.36.1-r2?arch=x86_64&upstream=busybox&distro=alpine-3.18.3&package-id=337ecb49f16db0b4"
      ]
    },
/* ... */

Environment:

  • Output of syft version: 0.87.1
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.3 LTS
@ShuP1 ShuP1 added the bug Something isn't working label Aug 25, 2023
@ShuP1 ShuP1 changed the title Invalide CycloneDX: duplicates in relationships section Invalid CycloneDX: duplicates in relationships section Aug 25, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 25, 2023

Thanks for the report @ShuP1

@kzantow kzantow self-assigned this Aug 25, 2023
@kzantow kzantow mentioned this issue Aug 25, 2023
Merged
@ShuP1
Copy link
Author

ShuP1 commented Aug 26, 2023

That was fast! Thanks

This was referenced Aug 28, 2023
Closed
Closed
Closed
Closed
@wagoodman wagoodman added the format:cyclonedx CycloneDX related enhancement or bug label Aug 31, 2023
@wagoodman wagoodman changed the title Invalid CycloneDX: duplicates in relationships section Generating duplicate in relationships in CycloneDX Aug 31, 2023
This was referenced Sep 1, 2023
Merged
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working format:cyclonedx CycloneDX related enhancement or bug
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: duplicate entries in cyclonedx dependency list anchore/syft
3 participants
@wagoodman @kzantow @ShuP1