Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong parsing after v0.85.0 syft for some components #2241

Closed
gandalf1990PL opened this issue Oct 20, 2023 · 5 comments · Fixed by #2273
Closed

Wrong parsing after v0.85.0 syft for some components #2241

gandalf1990PL opened this issue Oct 20, 2023 · 5 comments · Fixed by #2273
Labels
bug Something isn't working

Comments

@gandalf1990PL
Copy link

What happened:
Syft is parsing some compontnes on wrong way. This occurs that dependency track cant upload boms. Throwing errors like this:
Cannot insert the value NULL into column 'NAME', table 'DependencyTrackDB.dbo.COMPONENT'; column does not allow nulls. INSERT fails.

e.g when using any syft with higher version that 0.85.0

    <component bom-ref="pkg:nuget/%20@3.14.40721.0918?package-id=db6ac7656db915a9" type="library">
      <name> </name>
      <version>3.14.40721.0918</version>
      <cpe>cpe:2.3:a:_:_:3.14.40721.0918:*:*:*:*:*:*:*</cpe>
      <purl>pkg:nuget/%20@3.14.40721.0918</purl>
      <properties>
        <property name="syft:package:foundBy">dotnet-portable-executable-cataloger</property>
        <property name="syft:package:metadataType">DotnetPortableExecutableMetadata</property>
        <property name="syft:package:type">dotnet</property>
        <property name="syft:location:0:layerID">sha256:3112682c3f97ae1dbc6a6ad3cf230dfef4225c1a53ecc3ebd40e3f6bf36e5f50</property>
        <property name="syft:location:0:path">/app/Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll</property>
      </properties>
    </component>
    <component bom-ref="pkg:nuget/%20@3.29.4?package-id=e6afd6dc74f9ae32" type="library">
      <name> </name>
      <version>3.29.4</version>
      <cpe>cpe:2.3:a:_:_:3.29.4:*:*:*:*:*:*:*</cpe>
      <purl>pkg:nuget/%20@3.29.4</purl>
      <properties>
        <property name="syft:package:foundBy">dotnet-portable-executable-cataloger</property>
        <property name="syft:package:metadataType">DotnetPortableExecutableMetadata</property>
        <property name="syft:package:type">dotnet</property>
        <property name="syft:location:0:layerID">sha256:3112682c3f97ae1dbc6a6ad3cf230dfef4225c1a53ecc3ebd40e3f6bf36e5f50</property>
        <property name="syft:location:0:path">/app/Microsoft.Azure.Cosmos.Direct.dll</property>
      </properties>
    </component>

For 0.85.0 version there is no components with empty section.

The result of bom files for same container images differ significantly on amount of components

What you expected to happen:
Name section should be fullfiled
Steps to reproduce the issue:
.net app with specifc packages included
Anything else we need to know?:

Environment:

  • Output of syft version: v0.93.0
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 20.04.6 LTS
@gandalf1990PL gandalf1990PL added the bug Something isn't working label Oct 20, 2023
@tgerla
Copy link
Contributor

tgerla commented Oct 20, 2023

Hi @gandalf1990PL, thank you for the report. Can you provide a package or public image that we can use to reproduce this problem? Thanks!

@gandalf1990PL
Copy link
Author

Here are dlls
packages.zip

@mbxsuite
Copy link

mbxsuite commented Oct 20, 2023
edited

I can second this bug. The affected NuGet packages in my C# project where

  • Microsoft.Extensions.PlatformAbstractions 1.1.0.21115
  • Microsoft.ApplicationInsights 2.4.0.32153
  • Antlr4.Runtime.Standard 4.13.0.0

Since syft v0.86 onwards, the fields name, purl and bom-ref contain a single space or %20 where the name should have been in sbom-files.

@jeremytbrun
Copy link

Also getting this for this dependency.

Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll

image

@spiffcs spiffcs mentioned this issue Oct 25, 2023
Closed
@tgerla
Copy link
Contributor

tgerla commented Oct 26, 2023

Related PR under development: #2133

@cichy3000 cichy3000 mentioned this issue Oct 27, 2023
Merged
@spiffcs spiffcs mentioned this issue Oct 30, 2023
Merged
@spiffcs spiffcs linked a pull request Oct 30, 2023 that will close this issue
fix: update parsing logic to remove empty space #2273
Merged
@spiffcs spiffcs mentioned this issue Oct 31, 2023
Closed
@Porkepix Porkepix mentioned this issue Nov 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update parsing logic to remove empty space anchore/syft
4 participants
@tgerla @jeremytbrun @mbxsuite @gandalf1990PL