Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Converting a SBOM looses the algorithm type for added checksums #2183

Closed
Mariuxdeangelo opened this issue Sep 28, 2023 · 1 comment · Fixed by #2207
Closed

Converting a SBOM looses the algorithm type for added checksums #2183

Mariuxdeangelo opened this issue Sep 28, 2023 · 1 comment · Fixed by #2207
Labels
bug Something isn't working good-first-issue Good for newcomers

Comments

@Mariuxdeangelo
Copy link

What happened:

I was working on a project to test diffrent SBOM converters and also looked into Syft. I think you do a really good job, better then most other tools that provide converters for SBOMs.

One thing that looked like a simple bug to me was, that syft looses the algorithm of a checksum when converting. This only happens while converting from SPDX to CycloneDx. From CycloneDx to SPDX the value is mapped correctly.

Input:

{
  "name": "commons-compress",
  "SPDXID": "SPDXRef-Package-java-archive-commons-compress-591e913d9a6a50d4",
  "checksums": [
    {
      "algorithm": "SHA1",
      "checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
    }
  ],
  "sourceInfo": "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war",
  "versionInfo": "1.23.0",
  "externalRefs": [
    {
      "referenceType": "cpe23Type",
      "referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
      "referenceCategory": "SECURITY"
    },
    {
      "referenceType": "cpe23Type",
      "referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*",
      "referenceCategory": "SECURITY"
    },
    {
      "referenceType": "cpe23Type",
      "referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*",
      "referenceCategory": "SECURITY"
    },
    {
      "referenceType": "cpe23Type",
      "referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*",
      "referenceCategory": "SECURITY"
    },
    {
      "referenceType": "purl",
      "referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
      "referenceCategory": "PACKAGE-MANAGER"
    }
  ],
  "copyrightText": "NOASSERTION",
  "filesAnalyzed": false,
  "licenseDeclared": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
  "downloadLocation": "NOASSERTION",
  "licenseConcluded": "NOASSERTION"
}

Output:

{
  "bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=218cd71a5496eeb9",
  "type": "library",
  "name": "commons-compress",
  "version": "1.23.0",
  "licenses": [
    {
      "license": {
        "name": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt"
      }
    }
  ],
  "cpe": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
  "purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
  "externalReferences": [
    {
      "url": "",
      "hashes": [
        {
          "alg": "",
          "content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
        }
      ],
      "type": "build-meta"
    }
  ],
  "properties": [
    {
      "name": "syft:package:language",
      "value": "java"
    },
    {
      "name": "syft:package:metadataType",
      "value": "JavaMetadata"
    },
    {
      "name": "syft:package:type",
      "value": "java-archive"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
    }
  ]
}

Round Trip

  {
  "name": "commons-compress",
  "SPDXID": "SPDXRef-Package-java-archive-commons-compress-218cd71a5496eeb9",
  "versionInfo": "1.23.0",
  "downloadLocation": "NOASSERTION",
  "checksums": [
    {
      "algorithm": "",
      "checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
    }
  ],
  "sourceInfo": "acquired package info from installed java archive: ",
  "licenseConcluded": "LicenseRef-LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
  "licenseDeclared": "LicenseRef-LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
  "copyrightText": "NOASSERTION",
  "externalRefs": [
    {
      "referenceCategory": "SECURITY",
      "referenceType": "cpe23Type",
      "referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*"
    },
    {
      "referenceCategory": "SECURITY",
      "referenceType": "cpe23Type",
      "referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
    },
    {
      "referenceCategory": "SECURITY",
      "referenceType": "cpe23Type",
      "referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
    },
    {
      "referenceCategory": "SECURITY",
      "referenceType": "cpe23Type",
      "referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
    },
    {
      "referenceCategory": "PACKAGE-MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
    }
  ]
}

What you expected to happen:

It feels like a bug that the algorithm type is lost. Looks like CycloneDx and SPDX both support this field.

Steps to reproduce the issue:
This are the command and SBOMs i used:

Command:

syft convert original.syft.spdx.json -o cyclonedx-json=converted.bySyft.toCdx.json
syft convert converted.bySyft.toCdx.json -o spdx-json=roundTrip.bySyft.toSpdx.json

sboms.zip

Anything else we need to know?:

I put some notes together in a blogpost about my tests with all tools. There are more minor things that were not mapped correctly but this issue feels like a bug while the others more look like it's hard to map all SPDX and CycloneDx fields. And you guys already stated that converting with Syft is experimental and will lose data. So i guess you already know about that.

https://mariuxdeangelo.gitlab.io/website/#/post/20230925-SBOM-Convertion-Tools

Environment:

  • Output of syft version:
  • OS (e.g: cat /etc/os-release or similar):
@Mariuxdeangelo Mariuxdeangelo added the bug Something isn't working label Sep 28, 2023
@wagoodman
Copy link
Contributor

wagoodman commented Sep 28, 2023
edited

Thanks for reporting! An initial glance shows that we need to consider casing when we are writing out cyclonedx documents https://github.com/anchore/syft/blob/38d5ef2c84e9bb8245c657daf2a3f97facde0a8f/syft/formats/common/cyclonedxhelpers/external_references.go#L95C46-L95C46

We haven't looked much closer, but it seems that a strings.ToLower of the input in this function would do the trick.

@wagoodman wagoodman added the good-first-issue Good for newcomers label Sep 28, 2023
@sharief007 sharief007 mentioned this issue Oct 9, 2023
Merged
@chenrui333 chenrui333 mentioned this issue Oct 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good-first-issue Good for newcomers
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Correctly map algorithm name in CycloneDx sharief007/syft
2 participants
@wagoodman @Mariuxdeangelo