Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generating CycloneDX SBOM fails #1097

Closed
JDemler opened this issue Dec 29, 2021 · 1 comment · Fixed by #1102
Closed

Generating CycloneDX SBOM fails #1097

JDemler opened this issue Dec 29, 2021 · 1 comment · Fixed by #1102
Labels
bug Something went wrong

Comments

@JDemler
Copy link

JDemler commented Dec 29, 2021

./docker_run.sh ternd "report -f cyclonedxjson -i debian:buster" > bom.json fails with AttributeError: 'OCIImage' object has no attribute 'repotags'

To Reproduce
Steps to reproduce the behavior:

  1. clone repository
  2. build tern using docker build -f docker/Dockerfile -t ternd .
  3. run ./docker_run.sh ternd "report -f cyclonedxjson -i debian:buster" > bom.json
  4. See error

Error in terminal

2021-12-29 15:03:55,655 - DEBUG - core - Processing Debian copyrights...
2021-12-29 15:03:55,844 - WARNING - core - Some metadata may be missing
2021-12-29 15:04:11,024 - DEBUG - generator - Generating CycloneDX JSON document...
Traceback (most recent call last):
  File "/usr/local/bin/tern", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/tern/__main__.py", line 286, in main
    do_main(args)
  File "/usr/local/lib/python3.9/site-packages/tern/__main__.py", line 116, in do_main
    crun.execute_image(args)
  File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/container/run.py", line 82, in execute_image
    report.report_out(args, full_image)
  File "/usr/local/lib/python3.9/site-packages/tern/report/report.py", line 86, in report_out
    report = generate_report(args, *images)
  File "/usr/local/lib/python3.9/site-packages/tern/report/report.py", line 41, in generate_report
    return generate_format(
  File "/usr/local/lib/python3.9/site-packages/tern/report/report.py", line 56, in generate_format
    return mgr.driver.generate(images, print_inclusive)
  File "/usr/local/lib/python3.9/site-packages/tern/formats/cyclonedx/cyclonedxjson/generator.py", line 60, in generate
    report = get_document_dict(image_obj_list)
  File "/usr/local/lib/python3.9/site-packages/tern/formats/cyclonedx/cyclonedxjson/generator.py", line 41, in get_document_dict
    docu_dict['metadata']['component'] = mhelpers.get_image_dict(image_obj_list[0])
  File "/usr/local/lib/python3.9/site-packages/tern/formats/cyclonedx/cyclonedxjson/image_helpers.py", line 31, in get_image_dict
    if image_obj.repotags:
AttributeError: 'OCIImage' object has no attribute 'repotags'

Expected behavior
When removing the -f cyclonedxjson flag everything works as expected.

Environment you are running Tern on
Enter all that apply

Tern version 2.9.0
   python version = 3.9.9 (main, Dec 21 2021, 10:35:05)

On WSL2 Ubuntu:
Linux --- 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

@rnjudge rnjudge added the bug Something went wrong label Jan 5, 2022
@rnjudge
Copy link
Contributor

rnjudge commented Jan 5, 2022

Thanks for the report @JDemler! Will get going on a fix for this.

rnjudge added a commit to rnjudge/tern that referenced this issue Jan 14, 2022
Commit 0891287 introduced using the OCIImage class instead of
DockerImage for container image analysis. There is a difference in the
name and type of the variable that holds the repository tag ('repotags'
list for DockerImage vs 'repotag' string for OCIImage) which is causing
the CycloneDX format to break. This was not caught prior to the release
because there are no tests for the CycloneDX format in the ci test file.

This commit resolves the CycloneDX format bug by using the repository
tag variable name depending on image type and also adds an appropriate
test in the ci test file to try to avoid this issue in the future.

Lastly, we add 'undefined-variable' to the list of pylint warnings to
ignore as it was being incorrectly surfaced during prospector runs.

Resolves tern-tools#1097

Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge added a commit to rnjudge/tern that referenced this issue Jan 14, 2022
Commit 0891287 introduced using the OCIImage class instead of
DockerImage for container image analysis. There is a difference in the
name and type of the variable that holds the repository tag ('repotags'
list for DockerImage vs 'repotag' string for OCIImage) which is causing
the CycloneDX format to break. This was not caught prior to the release
because there are no tests for the CycloneDX format in the ci test file.

This commit resolves the CycloneDX format bug by using the repository
tag variable name depending on image type and also adds an appropriate
test in the ci test file to try to avoid this issue in the future.

Lastly, we add 'undefined-variable' to the list of pylint and pyflakes
warnings to ignore as it was being incorrectly surfaced during
prospector runs.

Resolves tern-tools#1097

Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge added a commit to rnjudge/tern that referenced this issue Jan 20, 2022
Commit 0891287 introduced using the OCIImage class instead of
DockerImage for container image analysis. There is a difference in the
name and type of the variable that holds the repository tag ('repotags'
list for DockerImage vs 'repotag' string for OCIImage) which is causing
the CycloneDX format to break. This was not caught prior to the release
because there are no tests for the CycloneDX format in the ci test file.

This commit resolves the CycloneDX format bug by using the repository
tag variable name depending on image type and also adds an appropriate
test in the ci test file to try to avoid this issue in the future.

Resolves tern-tools#1097

Signed-off-by: Rose Judge <rjudge@vmware.com>
nishakm pushed a commit that referenced this issue Jan 20, 2022
Commit 0891287 introduced using the OCIImage class instead of
DockerImage for container image analysis. There is a difference in the
name and type of the variable that holds the repository tag ('repotags'
list for DockerImage vs 'repotag' string for OCIImage) which is causing
the CycloneDX format to break. This was not caught prior to the release
because there are no tests for the CycloneDX format in the ci test file.

This commit resolves the CycloneDX format bug by using the repository
tag variable name depending on image type and also adds an appropriate
test in the ci test file to try to avoid this issue in the future.

Resolves #1097

Signed-off-by: Rose Judge <rjudge@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something went wrong
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants