[ingestion bug] Ingest of SPDX and CDX SBOM for the same image fails on ENT #1816

pxp928 · 2024-04-05T13:33:45Z

Describe the bug
Ingesting an SPDX and CDX SBOM for the same "vulnerable image" fails on ENT. Both SBOMs are attached to this image for testing and to recreate the issue.

Specifically, Occurrence and hasSBOM:

{"level":"info","ts":1712322439.5772312,"caller":"helpers/bulk.go:127","msg":"assembling IsOccurrence: 3878"}
{"level":"error","ts":1712322439.757308,"caller":"helpers/bulk.go:130","msg":"ingestIsOccurrences failed with error: isOccurrencesPkg failed with error: input: ingestOccurrences IngestOccurrences :: bulk upsert Occurrence node: ent: constraint failed: insert nodes to table \"occurrences\": pq: insert or update on table \"occurrences\" violates foreign key constraint \"occurrences_artifacts_artifact\"\n","stacktrace":"github.com/guacsec/guac/pkg/assembler/clients/helpers.GetBulkAssembler.func1\n\t/Users/parth/Documents/pxp928/artifact-ff/pkg/assembler/clients/helpers/bulk.go:130\ngithub.com/guacsec/guac/pkg/ingestor.Ingest\n\t/Users/parth/Documents/pxp928/artifact-ff/pkg/ingestor/ingestor.go:62\ngithub.com/guacsec/guac/cmd/guacone/cmd.init.func6.1\n\t/Users/parth/Documents/pxp928/artifact-ff/cmd/guacone/cmd/files.go:125\ngithub.com/guacsec/guac/pkg/handler/collector.Collect\n\t/Users/parth/Documents/pxp928/artifact-ff/pkg/handler/collector/collector.go:97\ngithub.com/guacsec/guac/cmd/guacone/cmd.init.func6\n\t/Users/parth/Documents/pxp928/artifact-ff/cmd/guacone/cmd/files.go:145\ngithub.com/spf13/cobra.(*Command).execute\n\t/Users/parth/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:987\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/Users/parth/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115\ngithub.com/spf13/cobra.(*Command).Execute\n\t/Users/parth/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039\ngithub.com/guacsec/guac/cmd/guacone/cmd.Execute\n\t/Users/parth/Documents/pxp928/artifact-ff/cmd/guacone/cmd/root.go:56\nmain.main\n\t/Users/parth/Documents/pxp928/artifact-ff/cmd/guacone/main.go:23\nruntime.main\n\t/opt/homebrew/Cellar/go/1.22.1/libexec/src/runtime/proc.go:271"}

{"level":"info","ts":1712322439.783575,"caller":"helpers/bulk.go:183","msg":"assembling HasSBOM: 1"}
{"level":"error","ts":1712322439.863877,"caller":"helpers/bulk.go:190","msg":"ingestHasSBOMs failed with error: hasSBOMPkgs failed with error: input: ingestHasSBOMs IngestHasSBOMs failed with err: input: IngestHasSbom :: input: generateSBOMCreate :: updateHasSBOMWithIncludeArtifacts: update for IncludedSoftwareArtifactIDs hasSBOM node failed with error: ent: constraint failed: add m2m edge for table bill_of_materials_included_software_artifacts: pq: insert or update on table \"bill_of_materials_included_software_artifacts\" violates foreign key constraint \"bill_of_materials_included_software_artifacts_artifact_id\"\n","stacktrace":"github.com/guacsec/guac/pkg/assembler/clients/helpers.GetBulkAssembler.func1\n\t/Users/parth/Documents/pxp928/artifact-ff/pkg/assembler/clients/helpers/bulk.go:190\ngithub.com/guacsec/guac/pkg/ingestor.Ingest\n\t/Users/parth/Documents/pxp928/artifact-ff/pkg/ingestor/ingestor.go:62\ngithub.com/guacsec/guac/cmd/guacone/cmd.init.func6.1\n\t/Users/parth/Documents/pxp928/artifact-ff/cmd/guacone/cmd/files.go:125\ngithub.com/guacsec/guac/pkg/handler/collector.Collect\n\t/Users/parth/Documents/pxp928/artifact-ff/pkg/handler/collector/collector.go:97\ngithub.com/guacsec/guac/cmd/guacone/cmd.init.func6\n\t/Users/parth/Documents/pxp928/artifact-ff/cmd/guacone/cmd/files.go:145\ngithub.com/spf13/cobra.(*Command).execute\n\t/Users/parth/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:987\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/Users/parth/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115\ngithub.com/spf13/cobra.(*Command).Execute\n\t/Users/parth/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039\ngithub.com/guacsec/guac/cmd/guacone/cmd.Execute\n\t/Users/parth/Documents/pxp928/artifact-ff/cmd/guacone/cmd/root.go:56\nmain.main\n\t/Users/parth/Documents/pxp928/artifact-ff/cmd/guacone/main.go:23\nruntime.main\n\t/opt/homebrew/Cellar/go/1.22.1/libexec/src/runtime/proc.go:271"}

To Reproduce
run ENT container:

docker volume create postgres-data
docker run --name postgres-container -e POSTGRES_HOST_AUTH_METHOD=trust -e POSTGRES_USER=guac -e POSTGRES_PASSWORD=guac -p 5432:5432 -v postgres-data:/var/lib/postgresql/data -d postgres

Run graphQL Server:

go run ./cmd/guacgql --gql-debug --gql-backend "ent"

Ingest SPDX or CDX SBOM

go run ./cmd/guacone collect files ./spdx_vuln.json

Ingest second remaining SBOM

go run ./cmd/guacone collect files ./cdx_vuln.json

Expected behavior
There should be no ingestion errors

GUAC version
main

SBOMs for testing
cdx_vuln.json
spdx_vuln.json

The text was updated successfully, but these errors were encountered:

pxp928 added bug Something isn't working trust issues describing providing additional information so that consumers can trust GUAC's results priority Pretty important labels Apr 5, 2024

pxp928 mentioned this issue Apr 11, 2024

[ENT] fix issue with index on artifact #1835

Merged

7 tasks

kodiakhq bot closed this as completed in #1835 Apr 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[ingestion bug] Ingest of SPDX and CDX SBOM for the same image fails on ENT #1816

[ingestion bug] Ingest of SPDX and CDX SBOM for the same image fails on ENT #1816

pxp928 commented Apr 5, 2024 •

edited

Loading

[ingestion bug] Ingest of SPDX and CDX SBOM for the same image fails on ENT #1816

[ingestion bug] Ingest of SPDX and CDX SBOM for the same image fails on ENT #1816

Comments

pxp928 commented Apr 5, 2024 • edited Loading

pxp928 commented Apr 5, 2024 •

edited

Loading