Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.NET / nuget - invalid SBOM generated after parsing #2255

Closed
kmoens opened this issue Oct 25, 2023 · 1 comment · Fixed by #2273
Closed

.NET / nuget - invalid SBOM generated after parsing #2255

kmoens opened this issue Oct 25, 2023 · 1 comment · Fixed by #2273
Labels
bug Something isn't working

Comments

@kmoens
Copy link
Contributor

kmoens commented Oct 25, 2023

What happened:
When using Syft to generate the SBOM for one of our Docker Images we encountered issues uploading the generated SBOM towards Dependency Track due to an invalid Package URL that was created.

Hereby the fragment of the SBOM:

    {
      "bom-ref": "pkg:nuget/%C3%A4b\u0001FileVersion@4.6.25512.01%20built%20by:%20dlab-DDVSOWINAGE016.%20Commit%20Hash:%20d0d5c7b49271cadb6d97de26d8e623e98abdc8db?package-id=3ddefa9d1305fed5",
      "type": "library",
      "name": "äb\u0001FileVersion",
      "version": "4.6.25512.01 built by: dlab-DDVSOWINAGE016. Commit Hash: d0d5c7b49271cadb6d97de26d8e623e98abdc8db",
      "purl": "pkg:nuget/%C3%A4b\u0001FileVersion@4.6.25512.01%20built%20by:%20dlab-DDVSOWINAGE016.%20Commit%20Hash:%20d0d5c7b49271cadb6d97de26d8e623e98abdc8db",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "dotnet-portable-executable-cataloger"
        },
        {
          "name": "syft:package:metadataType",
          "value": "DotnetPortableExecutableMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "dotnet"
        },
        {
          "name": "syft:location:0:layerID",
          "value": "sha256:d3093f2eddfbe245a9e15bb6245e82ab28499636b9052f643b2d53a89001cadb"
        },
        {
          "name": "syft:location:0:path",
          "value": "/app/runtimes/win-x64/native/sni.dll"
        }
      ]
    },

This resulted in an error while parsing the SBOM as follows:

[2023-10-24 16:27:06.862]  malformed package url pkg:nuget/%C3%A4b�FileVersion@4.6.25512.01%20built%20by:%20dlab-DDVSOWINAGE016.%20Commit%20Hash:%20d0d5c7b49271cadb6d97de26d8e623e98abdc8db
[2023-10-24 16:27:06.863]  com.github.packageurl.MalformedPackageURLException: Invalid purl: Illegal character in opaque part at index 17: pkg:nuget/%C3%A4b�FileVersion@4.6.25512.01%20built%20by:%20dlab-DDVSOWINAGE016.%20Commit%20Hash:%20d0d5c7b49271cadb6d97de26d8e623e98abdc8db
[2023-10-24 16:27:06.863]  	at com.github.packageurl.PackageURL.parse(PackageURL.java:549)
[2023-10-24 16:27:06.863]  	at com.github.packageurl.PackageURL.<init>(PackageURL.java:68)

Which is obvious, since it is effectively an invalid SBOM.

What you expected to happen:
A correct and parseable SBOM is created.

Steps to reproduce the issue:
You can use the DLL in question at https://github.com/kmoens/syft-bug-dll/blob/main/sni.dll.gz

Environment:

  • Output of syft version: 0.94.0
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04
@kmoens kmoens added the bug Something isn't working label Oct 25, 2023
@spiffcs
Copy link
Contributor

spiffcs commented Oct 25, 2023

Thanks for the report @kmoens - This could also potentially be related to #2241

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants