Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: github scan action failing #3386

Closed
terriko opened this issue Oct 4, 2023 · 6 comments
Closed

ci: github scan action failing #3386

terriko opened this issue Oct 4, 2023 · 6 comments
Labels
bug Something isn't working CI Related to our continuous integration service (GitHub Actions)

Comments

@terriko
Copy link
Contributor

terriko commented Oct 4, 2023

Description

Our github action https://github.com/intel/cve-bin-tool-action is failing when run on this repo (and possibly others) and I'm not sure why yet but I'm filing this so it's a known issue. There haven't been any code changes in the action recently so it may be a change in github actions itself?

To reproduce

See any of the github actions in https://github.com/intel/cve-bin-tool/actions/workflows/cve_bin_tool_action.yml

e.g. https://github.com/intel/cve-bin-tool/actions/runs/6398611856/job/17369112662
@terriko terriko added bug Something isn't working CI Related to our continuous integration service (GitHub Actions) labels Oct 4, 2023
@terriko terriko mentioned this issue Oct 4, 2023
Closed
@b31ngd3v
Copy link
Contributor

b31ngd3v commented Oct 4, 2023
edited
Loading

The problem seems to be:
The SBOM generator of cve-bin-tool is not working properly on GitHub actions (locally it works fine), here's the logs:

test command:

cve-bin-tool . --format html,pdf,json --output-file report --sbom-type spdx --sbom-format json --sbom-output SBOM.spdx.json

test output:

[19:44:29] INFO     cve_bin_tool - CVE Binary Tool v3.2.2dev0         cli.py:533
           INFO     cve_bin_tool - This product uses the NVD API but  cli.py:534
                    is not endorsed or certified by the NVD.                    
           INFO     cve_bin_tool.CVEDB - Using cached CVE data      cvedb.py:218
                    (<24h old). Use -u now to update immediately.               
           INFO     cve_bin_tool.CVEDB - There are 229995 CVE       cvedb.py:289
                    entries in the database                                     
           INFO     cve_bin_tool.CVEDB - There are 213277 CVE       cvedb.py:291
                    entries from NVD in the database                            
           INFO     cve_bin_tool.CVEDB - There are 16718 CVE        cvedb.py:291
                    entries from REDHAT in the database                         
           INFO     cve_bin_tool - CVE database contains CVEs from    cli.py:763
                    National Vulnerability Database (NVD), Open                 
                    Source Vulnerability Database (OSV), Gitlab                 
                    Advisory Database (GAD) and RedHat                          
           INFO     cve_bin_tool - CVE database last updated on 04    cli.py:766
                    October 2023 at 17:07:08                                    
           INFO     cve_bin_tool - Number of checkers: 326            cli.py:942
           INFO     cve_bin_tool.VersionScanner -         version_scanner.py:108
                    Checkers: accountsservice, acpid,                           
                    apache_http_server, apcupsd,                                
                    apparmor, asn1c, assimp, asterisk,                          
                    atftp, avahi, axel, bash, bind,                             
                    binutils, bird, bison, bluez, boinc,                        
                    botan, bro, bubblewrap, busybox,                            
                    bwm_ng, bzip2, c_ares, capnproto,                           
                    ceph, chess, chrony, civetweb,                              
                    clamav, collectd, commons_compress,                         
                    connman, coreutils, cpio, cronie,                           
                    cryptsetup, cups, curl, cvs,                                
                    darkhttpd, dav1d, davfs2, dbus,                             
                    dhclient, dhcpcd, dhcpd, dmidecode,                         
                    dnsmasq, domoticz, dovecot, doxygen,                        
                    dpkg, dropbear, e2fsprogs, ed,                              
                    elfutils, emacs, enscript, exim,                            
                    exiv2, f2fs_tools, faad2, fastd,                            
                    ffmpeg, file, firefox, flac,                                
                    fluidsynth, freeradius, freerdp,                            
                    fribidi, frr, gcc, gdal, gdb,                               
                    gdk_pixbuf, gimp, git, glib, glibc,                         
                    gmp, gnomeshell, gnupg, gnutls,                             
                    gpgme, gpsd, graphicsmagick, grep,                          
                    grub2, gstreamer, gupnp, gvfs, gzip,                        
                    haproxy, harfbuzz, haserl, hdf5,                            
                    hostapd, hunspell, hwloc, i2pd,                             
                    icecast, icu, iperf3, ipmitool,                             
                    ipsec_tools, iptables, irssi,                               
                    iucode_tool, jack2, jacksondatabind,                        
                    janus, jhead, json_c, kbd,                                  
                    keepalived, kerberos, kexectools,                           
                    kodi, kubernetes, ldns, lftp,                               
                    libarchive, libass, libbpg, libcoap,                        
                    libconfuse, libcurl, libdb, libebml,                        
                    libexpat, libgcrypt, libgd, libgit2,                        
                    libical, libidn2, libinput, libjpeg,                        
                    libjpeg_turbo, libksba, liblas,                             
                    libmatroska, libmemcached,                                  
                    libmicrohttpd, libmodbus, libnss,                           
                    libpcap, libraw, librsvg, librsync,                         
                    libsamplerate, libseccomp,                                  
                    libsndfile, libsolv, libsoup,                               
                    libsrtp, libssh, libssh2, libtasn1,                         
                    libtiff, libtomcrypt, libupnp,                              
                    libvirt, libvncserver, libvorbis,                           
                    libxslt, lighttpd, linux_kernel,                            
                    lldpd, logrotate, lua, luajit, lxc,                         
                    lynx, lz4, mailx, mariadb, mdadm,                           
                    memcached, minetest, mini_httpd,                            
                    minicom, minidlna, miniupnpc,                               
                    miniupnpd, modsecurity, monit,                              
                    mosquitto, motion, mpg123, mpv,                             
                    msmtp, mtr, mupdf, mutt, mysql, nano,                       
                    nasm, nbd, ncurses, neon, nessus,                           
                    netatalk, netkit_ftp, netpbm, nettle,                       
                    nghttp2, nginx, ngircd, nmap, node,                         
                    ntfs_3g, ntp, ntpsec, open_iscsi,                           
                    open_vm_tools, openafs, opencv,                             
                    openjpeg, openldap, opensc, openssh,                        
                    openssl, openswan, openvpn, p7zip,                          
                    pango, patch, pcre, pcre2, pcsc_lite,                       
                    perl, picocom, pigz, pixman, png,                           
                    polarssl_fedora, poppler, postgresql,                       
                    ppp, privoxy, procps_ng, proftpd,                           
                    pspp, pure_ftpd, putty, python, qemu,                       
                    qpdf, qt, quagga, radare2, radvd,                           
                    raptor, rauc, rdesktop, readline,                           
                    rpm, rsync, rsyslog, rtl_433,                               
                    rtmpdump, runc, rust, samba,                                
                    sane_backends, sdl, seahorse,                               
                    shadowsocks_libev, sngrep, snort,                           
                    sofia_sip, speex, spice, sqlite,                            
                    squashfs, squid, sslh, stellarium,                          
                    strongswan, stunnel, subversion,                            
                    sudo, suricata, sylpheed, syslogng,                         
                    sysstat, systemd, tcpdump, tcpreplay,                       
                    terminology, thrift, thttpd,                                
                    thunderbird, timescaledb, tinyproxy,                        
                    tor, tpm2_tss, transmission,                                
                    trousers, u_boot, udisks, unbound,                          
                    unixodbc, upx, util_linux, varnish,                         
                    vim, vorbis_tools, vsftpd, webkitgtk,                       
                    wget, wireshark, wolfssl,                                   
                    wpa_supplicant, xerces, xml2,                               
                    xscreensaver, yasm, zabbix, zeek,                           
                    zlib, znc, zsh                                              
           INFO     cve_bin_tool - Number of language checkers: 10    cli.py:947
           INFO     cve_bin_tool.VersionScanner -         version_scanner.py:131
                    Language Checkers: Go, Java,                                
                    Javascript, Perl, Php, Python, R,                           
                    Ruby, Rust, Swift                                           
           INFO     cve_bin_tool - Overall CVE summary:               cli.py:982
           INFO     cve_bin_tool - There are 0 products with known    cli.py:983
                    CVEs detected                                               
           INFO     cve_bin_tool.OutputEngine - JSON report      __init__.py:948
                    stored at                                                   
                    /home/runner/work/cve-bin-tool/cve-bin-tool/                
                    report.json                                                 
╭───────────────────── Traceback (most recent call last) ──────────────────────╮
│ /opt/hostedtoolcache/Python/3.11.5/x64/bin/cve-bin-tool:8 in <module>        │
│                                                                              │
│   5 from cve_bin_tool.cli import main                                        │
│   6 if __name__ == '__main__':                                               │
│   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])     │
│ ❱ 8 │   sys.exit(main())                                                     │
│   9                                                                          │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/site-packages/cve_bin_ │
│ tool/cli.py:1024 in main                                                     │
│                                                                              │
│   1021 │   │   )                                                             │
│   1022 │   │                                                                 │
│   1023 │   │   if not args["quiet"]:                                         │
│ ❱ 1024 │   │   │   output.output_file_wrapper(output_formats)                │
│   1025 │   │   │   if args["backport_fix"] or args["available_fix"]:         │
│   1026 │   │   │   │   distro_info = args["backport_fix"] or args["available │
│   1027 │   │   │   │   is_backport = True if args["backport_fix"] else False │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/site-packages/cve_bin_ │
│ tool/output_engine/__init__.py:896 in output_file_wrapper                    │
│                                                                              │
│   893 │                                                                      │
│   894 │   def output_file_wrapper(self, output_types=["console"]):           │
│   895 │   │   for output_type in output_types:                               │
│ ❱ 896 │   │   │   self.output_file(output_type)                              │
│   897 │                                                                      │
│   898 │   def output_file(self, output_type="console"):                      │
│   899 │   │   """Generate a file for list of CVE"""                          │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/site-packages/cve_bin_ │
│ tool/output_engine/__init__.py:956 in output_file                            │
│                                                                              │
│   953 │   │   │   │   self.output_cves(f, output_type)                       │
│   954 │   │   else:                                                          │
│   955 │   │   │   with open(self.filename, "w", encoding="utf8") as f:       │
│ ❱ 956 │   │   │   │   self.output_cves(f, output_type)                       │
│   957 │                                                                      │
│   958 │   def check_file_path(self, filepath: str, output_type: str, prefix: │
│   959 │   │   # check if the file already exists                             │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/site-packages/cve_bin_ │
│ tool/output_engine/__init__.py:726 in output_cves                            │
│                                                                              │
│   723 │   │   if self.vex_filename != "":                                    │
│   724 │   │   │   self.generate_vex(self.all_cve_data, self.vex_filename)    │
│   725 │   │   if self.sbom_filename != "":                                   │
│ ❱ 726 │   │   │   self.generate_sbom(                                        │
│   727 │   │   │   │   self.all_product_data,                                 │
│   728 │   │   │   │   filename=self.sbom_filename,                           │
│   729 │   │   │   │   sbom_type=self.sbom_type,                              │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/site-packages/cve_bin_ │
│ tool/output_engine/__init__.py:892 in generate_sbom                          │
│                                                                              │
│   889 │   │   │   application="cve-bin-tool",                                │
│   890 │   │   │   version=VERSION,                                           │
│   891 │   │   )                                                              │
│ ❱ 892 │   │   my_generator.generate(parent, my_sbom.get_sbom(), filename=fil │
│   893 │                                                                      │
│   894 │   def output_file_wrapper(self, output_types=["console"]):           │
│   895 │   │   for output_type in output_types:                               │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/site-packages/lib4sbom │
│ /generator.py:79 in generate                                                 │
│                                                                              │
Error:  │   │   │   │   │   print("[ERROR] Project name missing")              │
│    77 │   │   │   │   project_name = "Default_project"                       │
│    78 │   │   │   if self.sbom_type == "spdx":                               │
│ ❱  79 │   │   │   │   self._generate_spdx(project_name, sbom_data)           │
│    80 │   │   │   │   self.sbom = self._get_spdx()                           │
│    81 │   │   │   else:                                                      │
│    82 │   │   │   │   self._generate_cyclonedx(project_name, sbom_data)      │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/site-packages/lib4sbom │
│ /generator.py:142 in _generate_spdx                                          │
│                                                                              │
│   139 │   │   │   │   │   continue                                           │
│   140 │   │   │   │   product = package["name"]                              │
│   141 │   │   │   │   my_id = package.get("id", None)                        │
│ ❱ 142 │   │   │   │   if not self._validate_id(my_id):                       │
│   143 │   │   │   │   │   my_id = f"{id}-{product}"                          │
│   144 │   │   │   │   parent = "-"                                           │
│   145 │   │   │   │   self._save_element(product, my_id, my_id)              │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/site-packages/lib4sbom │
│ /generator.py:89 in _validate_id                                             │
│                                                                              │
│    86 │   │   │   │   sbom_out.generate_output(self.sbom)                    │
│    87 │                                                                      │
│    88 │   def _validate_id(self, id):                                        │
│ ❱  89 │   │   return len(re.findall(r"([0-9a-zA-Z\.\-\+]+)$", id)) == len(id │
│    90 │                                                                      │
│    91 │   def _generate_spdx(self, project_name: str, sbom_data: SBOMData) - │
│    92 │   │   self.sbom_complete = False                                     │
│                                                                              │
│ /opt/hostedtoolcache/Python/3.11.5/x64/lib/python3.11/re/__init__.py:216 in  │
│ findall                                                                      │
│                                                                              │
│   213 │   has more than one group.                                           │
│   214 │                                                                      │
│   215 │   Empty matches are included in the result."""                       │
│ ❱ 216 │   return _compile(pattern, flags).findall(string)                    │
│   217                                                                        │
│   218 def finditer(pattern, string, flags=0):                                │
│   219 │   """Return an iterator over all non-overlapping matches in the      │
╰──────────────────────────────────────────────────────────────────────────────╯
TypeError: expected string or bytes-like object, got 'NoneType'

@b31ngd3v
Copy link
Contributor

b31ngd3v commented Oct 5, 2023
edited
Loading

hi @anthonyharrison, can you please take a look at the error log? looks like it's from lib4sbom

@anthonyharrison
Copy link
Contributor

cve-bin-tool . --format html,pdf,json --output-file report --sbom-type spdx --sbom-format json --sbom-output SBOM.spdx.json

@b31ngd3v Will have a look now

@anthonyharrison
Copy link
Contributor

cve-bin-tool . --format html,pdf,json --output-file report --sbom-type spdx --sbom-format json --sbom-output SBOM.spdx.json

@b31ngd3v Will have a look now

0 CVEs and 0 products is the problem with Lib4sbom. Will update lib4sbom and publish to pypi.

@anthonyharrison
Copy link
Contributor

cve-bin-tool . --format html,pdf,json --output-file report --sbom-type spdx --sbom-format json --sbom-output SBOM.spdx.json

@b31ngd3v Will have a look now

0 CVEs and 0 products is the problem with Lib4sbom. Will update lib4sbom and publish to pypi.

This will stop the crash but generating a SBOM for no components doesn't seem correct. Need to add the following at the start of generate_sbom

        if len(all_product_data) == 0:
            return

@anthonyharrison anthonyharrison mentioned this issue Oct 5, 2023
Closed
@b31ngd3v
Copy link
Contributor

b31ngd3v commented Oct 5, 2023

thanks @anthonyharrison, it works now 👍🏻
@terriko the tests are also passing now!

@terriko terriko closed this as completed Oct 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working CI Related to our continuous integration service (GitHub Actions)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@terriko @anthonyharrison @b31ngd3v