SBOM unmarshalling does not deal with valid cyclonedx json #2654
Labels
kind/bug
Categorizes issue or PR as related to a bug.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
scan/sbom
Issues relating to SBOM
Milestone
Description
When trying to scan an existing SBOM with trivy, the unmarhsalling fails for an SBOM created with the python tool cyclonedx-bom (version 3.5.0), which does not add the metadata->component part.
As far as I understand the cyclonedx json schema (https://cyclonedx.org/schema/bom-1.4.schema.json), the metadata property "component" is optional. Validating example SBOMs against the official schema does succeed with and without the metadata->component part.
This can be easily reproduced by creating an SBOM with trivy itself, remove the metadata->component part and scan the SBOM with trivy.
What did you expect to happen?
The scanning should work like for an unmodified SBOM created with trivy itself. Trivy should deal with any proper cyclonedx json.
What happened instead?
An error/stacktrace is shown (see next section), parsing fails and with this, the scan is aborted.
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
As far as I understand the source code, making the failing assignment optional should be sufficient. Adding another check for metadata.Component being nil might fix the issue. Maybe further changes are required in case the value is used somewhere. But I'm not familiar with Go, so I may be wrong.
pkg/sbom/cyclonedx/unmarshal.go line 203
...
if metadata != nil {
cmap[metadata.Component.BOMRef] = *metadata.Component
}
...
The text was updated successfully, but these errors were encountered: