Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using syft as a go library to decode a syft json has incomplete data #2069

Closed
jeason81 opened this issue Aug 26, 2023 · 2 comments · Fixed by #2083
Closed

Using syft as a go library to decode a syft json has incomplete data #2069

jeason81 opened this issue Aug 26, 2023 · 2 comments · Fixed by #2083
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@jeason81
Copy link

When using the formats.Decode() function to decode a Syft generated SBOM. The Artifacts object has missing contents for FileContents and FileLicenses. To be exact, both return an empty map[].

What you expected to happen:
I expected the returned value of FileContents to have data associated with the file and the file contents so that this could be parsed and used to identify potential security issues.

Steps to reproduce the issue:

file, err := os.Open("syft-sbom.json")
	if err != nil {
		panic(err)
	}

	sbom, format, err := formats.Decode(file)
	if err != nil {
		panic(err)
	}
	defer file.Close()

	fmt.Printf("SBOM schema: %+v\n", format)
	fmt.Printf("%+v\n", sbom.Artifacts.FileContents)

Results in:

go run main.go                                                                                                                                                                                                                                                                                                           
syft-json@10.0.1
map[]

However, the syft-sbom.json file contains an extracted file content (content is not sensitive, this is a default /etc/passwd file):

{
   "id": "d63497173ad453fb",
   "location": {
    "path": "/etc/passwd",
    "layerID": "sha256:7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4"
   },
   "metadata": {
    "mode": 644,
    "type": "RegularFile",
    "userID": 0,
    "groupID": 0,
    "mimeType": "text/plain",
    "size": 767
   },
   "contents": "cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApiaW46eDoxOjE6YmluOi9iaW46L3NiaW4vbm9sb2dpbgpkYWVtb246eDoyOjI6ZGFlbW9uOi9zYmluOi9zYmluL25vbG9naW4KYWRtOng6Mzo0OmFkbTovdmFyL2FkbTovc2Jpbi9ub2xvZ2luCmxwOng6NDo3OmxwOi92YXIvc3Bvb2wvbHBkOi9zYmluL25vbG9naW4Kc3luYzp4OjU6MDpzeW5jOi9zYmluOi9iaW4vc3luYwpzaHV0ZG93bjp4OjY6MDpzaHV0ZG93bjovc2Jpbjovc2Jpbi9zaHV0ZG93bgpoYWx0Ong6NzowOmhhbHQ6L3NiaW46L3NiaW4vaGFsdAptYWlsOng6ODoxMjptYWlsOi92YXIvc3Bvb2wvbWFpbDovc2Jpbi9ub2xvZ2luCm9wZXJhdG9yOng6MTE6MDpvcGVyYXRvcjovcm9vdDovc2Jpbi9ub2xvZ2luCmdhbWVzOng6MTI6MTAwOmdhbWVzOi91c3IvZ2FtZXM6L3NiaW4vbm9sb2dpbgpmdHA6eDoxNDo1MDpGVFAgVXNlcjovdmFyL2Z0cDovc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Oktlcm5lbCBPdmVyZmxvdyBVc2VyOi86L3NiaW4vbm9sb2dpbgpkYnVzOng6ODE6ODE6U3lzdGVtIG1lc3NhZ2UgYnVzOi86L3NiaW4vbm9sb2dpbgpzeXN0ZW1kLWNvcmVkdW1wOng6OTk5Ojk5NzpzeXN0ZW1kIENvcmUgRHVtcGVyOi86L3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXJlc29sdmU6eDoxOTM6MTkzOnN5c3RlbWQgUmVzb2x2ZXI6Lzovc2Jpbi9ub2xvZ2luCnRzczp4OjU5OjU5OkFjY291bnQgdXNlZCBmb3IgVFBNIGFjY2VzczovZGV2L251bGw6L3NiaW4vbm9sb2dpbgo=",
   "digests": [
    {
     "algorithm": "sha256",
     "value": "adcb34bcce8fb586cbdda36c555382cba5820920dc7026d7ee86cbbd815a5238"
    }
   ]
  },

In addition, I tried to convert an Syft schema 7.0.0 file to Syft schema 10.0.1 file using: syft convert syft-sbom-7.0.0.json -o soft-json > syft-sbom-10.0.1.json but the file contents that existed in the original 7.0.0 file are no longer present in the 10.0.1 file.

Contents of the original 7.0.0 file (content not sensitive):

  {
   "id": "274abb1375774ed4",
   "location": {
    "path": "/etc/passwd",
    "layerID": "sha256:bce45ce613d34bff6a3404a4c2d56a5f72640f804c3d0bd67e2cf0bf97cb950c"
   },
   "metadata": {
    "mode": 644,
    "type": "RegularFile",
    "userID": 0,
    "groupID": 0,
    "mimeType": "text/plain"
   },
   "contents": "cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCg==",
   "digests": [
    {
     "algorithm": "sha256",
     "value": "7a4141683fb585190aaa61c6827a61afd471a1f528e8e0b98746d084a1a3a1a1"
    }
   ]
  },

Contents of the newly converted 10.0.1 file:

  {
   "id": "274abb1375774ed4",
   "location": {
    "path": "/etc/passwd",
    "layerID": "sha256:bce45ce613d34bff6a3404a4c2d56a5f72640f804c3d0bd67e2cf0bf97cb950c"
   },
   "metadata": {
    "mode": 644,
    "type": "RegularFile",
    "userID": 0,
    "groupID": 0,
    "mimeType": "text/plain",
    "size": 0
   },
   "digests": [
    {
     "algorithm": "sha256",
     "value": "7a4141683fb585190aaa61c6827a61afd471a1f528e8e0b98746d084a1a3a1a1"
    }
   ]
  },

Anything else we need to know?:

It appears that FileContents and FileLicenses are not populated in the to_syft_model.go file:

syft/syft/formats/syftjson/to_syft_model.go

Line 65 in dd09e03

func toSyftFiles(files []model.File) sbom.Artifacts {

Environment:

  • Output of syft version:
Application:        syft
Version:            0.88.0
JsonSchemaVersion:  10.0.1
BuildDate:          2023-08-25T20:57:04Z
GitCommit:          dd09e0362e46bee7285e0fca5ed96e398c314380
GitDescription:     v0.88.0
Platform:           darwin/arm64
GoVersion:          go1.20.7
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar): Mac OS X Ventura 13.4.1
@jeason81 jeason81 added the bug Something isn't working label Aug 26, 2023
@blacktop
Copy link

Latest is broken for me too

@blacktop
Copy link

Here's my proper standalone issue - #2073

@kzantow kzantow self-assigned this Aug 30, 2023
@kzantow kzantow mentioned this issue Aug 31, 2023
Merged
@chenrui333 chenrui333 mentioned this issue Sep 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: encode and decode FileLicenses and FileContents in Syft JSON kzantow-anchore/syft
3 participants
@kzantow @blacktop @jeason81