Empty vulnerability report after spdx-to-osv scan #15
Comments
|
@ccYHM86 Thanks for the detailed description of the issue. This could be due to incomplete information in the SBOM or an issue in this library. I was talked to @puerco, one of the maintainers of the Kubernetes bom, and he suggested it may be related to the bom support for NPM packages. @puerco - please feel free to add any additional info. |
|
@goneall, do you have any tooling recommendations to create a SPDX sBOM for node/npm bases projects? I was able to create a CycloneDX sBOM and run it through the OVS DB but I would like to stick with the SPDX standard for our projects. Thanks |
|
@ccYHM86 There has been a lot of activity lately improving the SBOM Generator, so you may want to check out that tools. I have not used it myself. @nishakm @seabass-labrax - feel free to add any insights or recommendations |
|
The SBOM generator should work for npm. I'm waiting for a lockfile v2 fix: opensbom-generator/spdx-sbom-generator#242 |
|
@ccYHM86 If you try out the SBOM generator, let me know how it goes. If you run into any issues, please post them in the opensbom-generator repo - there are some active maintainers for that project. |
|
Will do @goneall. Once I get the sBOM via the spdx-sbom-generator project I will try running it through the spdx-to-osv too. With regards to this issue, how do you think we should proceed? I see a few options:
|
I'm thinking we leave this open for now. If we verify the Kubernetes BOM does not have the required information for NPM, we could close this and open one in Kubernetes - but I'm fine leaving this open until we make sure the alternative tools work. |
|
@goneall I had some time to get back to this. I used the recommended spdx gen tool (https://github.com/opensbom-generator/spdx-sbom-generator) to produce the spdx sbom. Using this sbom I was able to successfully run it through the spdx-to-osv tool to give me a json report of OSS vulnerabilities in the project (I had to use the --all switch, but I assume this is because none of the packages defined in package.json have vulnerabilities - only their dependencies do). I think this bug can be closed since the issue does not seem to root from this tool. Let me know if you have any objections. In the mean time I will poke around the K8 repo and see if they have a roadmap for native node/npm support in their sbom tool. Thanks |
|
@ccYHM86 Thanks for sharing the results of using the SBOM generator. Glad to hear it provided the expected results. I'll go ahead and close this issue. |
Description
When using the spdx-to-osv tool to scan a spdx file for vulnerabilities the end result is an empty vulnerability report (report only contains '[]'). No errors are thrown by the tool and the exit code is 0. Im pretty sure the repot should show vulnerabilities since when I run npm install in this project I am given this warning:
When choosing 1 vulnerability at random to cross reference with the osv db
npm auditI can find this vulnerability on the osv DB: https://osv.dev/vulnerability/GHSA-76p3-8jx3-jpfq
I have attached my spdx file and the resulting output file
The spdx file was created using the bom tool found here: https://github.com/kubernetes-sigs/bom
Steps to Reproduce
java -jar spdx-to-osv/target/spdx-to-osv-0.1.1-SNAPSHOT-jar-with-dependencies.jar -a --input sbom-demo.spdx --output sbom-demo-vuln.jsonExpected Results
The sbom-demo-vuln.json file shows the same/similar information in json format as the
npm auditcommandActual Results
The sbom-demo-vuln.json file is empty
Workaround
None
Environment Info
Attachements
sbom-demo.spdx.zip
sbom-demo-vuln.json.zip
The text was updated successfully, but these errors were encountered: