Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: allow valid cyclonedx input with no components #1873

Merged
merged 3 commits into from
Jul 11, 2023
Merged

fix: allow valid cyclonedx input with no components #1873

merged 3 commits into from
Jul 11, 2023

Conversation

jneate
Copy link
Contributor

@jneate jneate commented Jun 11, 2023

This resolves anchore/grype#1005

The cyclonedx-go library returns Nil when presented with:

<components></components>

But returns an empty slice when presented with:

"components": []

The fix is to check if the format is XML, then inspect the XMLNS field and for other formats inspect the Components field

@jneate
fix: allow valid cyclonedx input with no components
2a59382 
Signed-off-by: James Neate <jamesmneate@gmail.com>
@jneate
fix: check xmlns is cyclonedx bom
154863a 
Signed-off-by: James Neate <jamesmneate@gmail.com>
kzantow
kzantow reviewed Jun 12, 2023
View reviewed changes
syft/formats/common/cyclonedxhelpers/decoder.go Outdated
Comment on lines 29 to 36
if format == cyclonedx.BOMFileFormatXML {
if (!strings.Contains(bom.XMLNS, cycloneDXXmlSchema) || cyclonedx.BOM{} == *bom) {
return fmt.Errorf("not a valid CycloneDX document")
}
} else {
if (bom.Components == nil || cyclonedx.BOM{} == *bom) {
return fmt.Errorf("not a valid CycloneDX document")
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having nested if statements like this duplicates some of the logic and makes things a little harder to reason about. What about a change like this?

Suggested change
if format == cyclonedx.BOMFileFormatXML {
if (!strings.Contains(bom.XMLNS, cycloneDXXmlSchema) || cyclonedx.BOM{} == *bom) {
return fmt.Errorf("not a valid CycloneDX document")
}
} else {
if (bom.Components == nil || cyclonedx.BOM{} == *bom) {
return fmt.Errorf("not a valid CycloneDX document")
}
xmlWithoutNS := format == cyclonedx.BOMFileFormatXML && !strings.Contains(bom.XMLNS, cycloneDXXmlSchema)
if cyclonedx.BOM{} == *bom || bom.Components == nil || xmlWithoutNS {
return fmt.Errorf("not a valid CycloneDX document")
}

@spiffcs spiffcs self-assigned this Jul 11, 2023
@spiffcs
chore: update conditional to use simple case
a9e24a9 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs merged commit 5a7c200 into anchore:main Jul 11, 2023
9 checks passed
@ahoz ahoz mentioned this pull request Sep 13, 2023
Merged
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@jneate @spiffcs
fix: allow valid cyclonedx input with no components (anchore#1873)
ffb91b8 
fix: allow valid cyclonedx input with no components
---------

Signed-off-by: James Neate <jamesmneate@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees

@spiffcs spiffcs

Labels
None yet
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Failed to detect format of CycloneDX XML SBOM with no components
3 participants
@jneate @kzantow @spiffcs