.NET / nuget - invalid SBOM generated after parsing #2255

kmoens · 2023-10-25T13:30:45Z

What happened:
When using Syft to generate the SBOM for one of our Docker Images we encountered issues uploading the generated SBOM towards Dependency Track due to an invalid Package URL that was created.

Hereby the fragment of the SBOM:

    {
      "bom-ref": "pkg:nuget/%C3%A4b\u0001FileVersion@4.6.25512.01%20built%20by:%20dlab-DDVSOWINAGE016.%20Commit%20Hash:%20d0d5c7b49271cadb6d97de26d8e623e98abdc8db?package-id=3ddefa9d1305fed5",
      "type": "library",
      "name": "äb\u0001FileVersion",
      "version": "4.6.25512.01 built by: dlab-DDVSOWINAGE016. Commit Hash: d0d5c7b49271cadb6d97de26d8e623e98abdc8db",
      "purl": "pkg:nuget/%C3%A4b\u0001FileVersion@4.6.25512.01%20built%20by:%20dlab-DDVSOWINAGE016.%20Commit%20Hash:%20d0d5c7b49271cadb6d97de26d8e623e98abdc8db",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "dotnet-portable-executable-cataloger"
        },
        {
          "name": "syft:package:metadataType",
          "value": "DotnetPortableExecutableMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "dotnet"
        },
        {
          "name": "syft:location:0:layerID",
          "value": "sha256:d3093f2eddfbe245a9e15bb6245e82ab28499636b9052f643b2d53a89001cadb"
        },
        {
          "name": "syft:location:0:path",
          "value": "/app/runtimes/win-x64/native/sni.dll"
        }
      ]
    },

This resulted in an error while parsing the SBOM as follows:

[2023-10-24 16:27:06.862]  malformed package url pkg:nuget/%C3%A4b�FileVersion@4.6.25512.01%20built%20by:%20dlab-DDVSOWINAGE016.%20Commit%20Hash:%20d0d5c7b49271cadb6d97de26d8e623e98abdc8db
[2023-10-24 16:27:06.863]  com.github.packageurl.MalformedPackageURLException: Invalid purl: Illegal character in opaque part at index 17: pkg:nuget/%C3%A4b�FileVersion@4.6.25512.01%20built%20by:%20dlab-DDVSOWINAGE016.%20Commit%20Hash:%20d0d5c7b49271cadb6d97de26d8e623e98abdc8db
[2023-10-24 16:27:06.863]  	at com.github.packageurl.PackageURL.parse(PackageURL.java:549)
[2023-10-24 16:27:06.863]  	at com.github.packageurl.PackageURL.<init>(PackageURL.java:68)

Which is obvious, since it is effectively an invalid SBOM.

What you expected to happen:
A correct and parseable SBOM is created.

Steps to reproduce the issue:
You can use the DLL in question at https://github.com/kmoens/syft-bug-dll/blob/main/sni.dll.gz

Environment:

Output of syft version: 0.94.0
OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04

The text was updated successfully, but these errors were encountered:

spiffcs · 2023-10-25T19:11:54Z

Thanks for the report @kmoens - This could also potentially be related to #2241

kmoens added the bug Something isn't working label Oct 25, 2023

This was referenced Oct 27, 2023

.NET NuGet - dotnet-deps cataloger not working with syft v0.94.0 #2264

Closed

fix: update parsing logic to remove empty space #2273

Merged

spiffcs linked a pull request Oct 30, 2023 that will close this issue

fix: update parsing logic to remove empty space #2273

Merged

spiffcs closed this as completed in #2273 Oct 31, 2023

spiffcs mentioned this issue Oct 31, 2023

Parser for dotnet_portable_executable using wrong attribute name. #2029

Closed

Porkepix mentioned this issue Nov 7, 2023

syft 0.95.0 Homebrew/homebrew-core#153559

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.NET / nuget - invalid SBOM generated after parsing #2255

.NET / nuget - invalid SBOM generated after parsing #2255

kmoens commented Oct 25, 2023

spiffcs commented Oct 25, 2023

.NET / nuget - invalid SBOM generated after parsing #2255

.NET / nuget - invalid SBOM generated after parsing #2255

Comments

kmoens commented Oct 25, 2023

spiffcs commented Oct 25, 2023