added error if CycloneDX sboms are missing top level metadata fields (#…

…992) Signed-off-by: pxp928 <parth.psu@gmail.com>
guacsec · Jun 28, 2023 · 165ec24 · 165ec24
1 parent 5f261e9
commit 165ec24
Show file tree

Hide file tree

Showing 4 changed files with 114 additions and 3 deletions.
diff --git a/internal/testing/testdata/exampledata/cyclonedx-no-top-level.json b/internal/testing/testdata/exampledata/cyclonedx-no-top-level.json
@@ -0,0 +1,95 @@
+{
+    "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.4",
+    "serialNumber": "urn:uuid:588bb01b-577e-4e1b-a055-b51b8f5f2ed1",
+    "version": 1,
+    "metadata": {
+      "timestamp": "2023-04-18T21:47:45.707189+00:00",
+      "tools": [
+        {
+          "vendor": "CycloneDX",
+          "name": "cyclonedx-bom",
+          "version": "3.11.0"
+        },
+        {
+          "vendor": "CycloneDX",
+          "name": "cyclonedx-python-lib",
+          "version": "3.1.5",
+          "externalReferences": [
+            {
+              "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions",
+              "type": "build-system"
+            },
+            {
+              "url": "https://pypi.org/project/cyclonedx-python-lib/",
+              "type": "distribution"
+            },
+            {
+              "url": "https://cyclonedx.github.io/cyclonedx-python-lib/",
+              "type": "documentation"
+            },
+            {
+              "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues",
+              "type": "issue-tracker"
+            },
+            {
+              "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE",
+              "type": "license"
+            },
+            {
+              "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md",
+              "type": "release-notes"
+            },
+            {
+              "url": "https://github.com/CycloneDX/cyclonedx-python-lib",
+              "type": "vcs"
+            },
+            {
+              "url": "https://cyclonedx.org",
+              "type": "website"
+            }
+          ]
+        }
+      ]
+    },
+    "components": [
+      {
+        "type": "library",
+        "bom-ref": "13ca86b0-38a2-47aa-9a39-b2b042da8bc4",
+        "name": "ruamel.yaml",
+        "version": "0.17.21",
+        "purl": "pkg:pypi/ruamel.yaml@0.17.21",
+        "externalReferences": [
+          {
+            "url": "https://pypi.org/project/ruamel.yaml/0.17.21",
+            "comment": "Distribution available from pypi.org",
+            "type": "distribution",
+            "hashes": [
+              {
+                "alg": "SHA-256",
+                "content": "742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7"
+              }
+            ]
+          },
+          {
+            "url": "https://pypi.org/project/ruamel.yaml/0.17.21",
+            "comment": "Distribution available from pypi.org",
+            "type": "distribution",
+            "hashes": [
+              {
+                "alg": "SHA-256",
+                "content": "8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "dependencies": [
+      {
+        "ref": "13ca86b0-38a2-47aa-9a39-b2b042da8bc4",
+        "dependsOn": []
+      }
+    ]
+  }
diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -91,6 +91,9 @@ var (
 	//go:embed exampledata/no-dependent-components-cyclonedx.json
 	CycloneDXExampleNoDependentComponents []byte
 
+	//go:embed exampledata/cyclonedx-no-top-level.json
+	CycloneDXExampleNoTopLevelComp []byte
+
 	//go:embed exampledata/crev-review.json
 	ITE6CREVExample []byte
 

diff --git a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go
@@ -105,8 +105,12 @@ func (c *cyclonedxParser) getTopLevelPackage(cdxBom *cdx.BOM) error {
 				c.packageArtifacts[string(cdxBom.Metadata.Component.BOMRef)] = append(c.packageArtifacts[string(cdxBom.Metadata.Component.BOMRef)], artifact)
 			}
 		}
+		return nil
+	} else {
+		// currently GUAC does not support CycloneDX component field in metadata or the BOM ref being nil.
+		// see https://github.com/guacsec/guac/issues/976 for more details.
+		return fmt.Errorf("guac currently does not support CycloneDX component field in metadata or the BOM ref being nil. See issue #976 for more details")
 	}
-	return nil
 }
 
 func parseContainerType(name string, version string, topLevel bool) string {

diff --git a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx_test.go b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx_test.go
@@ -89,8 +89,17 @@ func Test_cyclonedxParser(t *testing.T) {
 		},
 		wantPredicates: &testdata.CdxEmptyIngestionPredicates,
 		wantErr:        false,
-	},
-	}
+	}, {
+		name: "valid CycloneDX document generated by cyclonedx-bom Python utility with a single dependency and no top level component",
+		doc: &processor.Document{
+			Blob:              testdata.CycloneDXExampleNoTopLevelComp,
+			Format:            processor.FormatJSON,
+			Type:              processor.DocumentCycloneDX,
+			SourceInformation: processor.SourceInformation{},
+		},
+		wantPredicates: nil,
+		wantErr:        true,
+	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			s := NewCycloneDXParser()