Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SBOM-VERSION one-one relationship discrepancy #625

Open
carlosthe19916 opened this issue Jul 30, 2024 · 0 comments
Open

SBOM-VERSION one-one relationship discrepancy #625

carlosthe19916 opened this issue Jul 30, 2024 · 0 comments

Comments

@carlosthe19916
Copy link
Member

  • If I fetch GET /api/v1/product/{id} I get
{
    "id": "urn:uuid:621a710b-7760-4ee3-9212-a164aaa79568",
    "name": "quarkus-bom",
    "versions": [
        {
            "id": "urn:uuid:cc2b9049-53e1-422e-a350-68f3d5c1a405",
            "version": "2.13.8.SP3-redhat-00001",
            "sbom_id": "urn:uuid:0191043e-a930-7142-9ed9-85913b8cd19a"
        }
    ],
    "vendor": {
        "id": "305e83f8-6e72-4fc1-a2d6-92c1c912887a",
        "name": "Organization: Red Hat"
    }
}
  • If we pay attention to the versions array we will notice that for each sbom_id there is a SINGLE version which seems to be the correct way abstracting data.

  • However, if I take the versions.sbom_id field and try to fetch the SBOM using /api/v1/sbom/{id} then I get this:

{
    "id": "urn:uuid:0191043e-a930-7142-9ed9-85913b8cd19a",   
    "described_by": [
        {
            "id": "SPDXRef-a95c4f3e-57d9-4b8d-8008-f209b8715f81",
            "name": "quarkus-bom",
            "version": "2.13.8.SP3-redhat-00001",
            "purl": [
                {
                    "uuid": "59da4953-9132-5cd6-aaa9-c1ee3544a4fd",
                    "purl": "pkg://maven/com.redhat.quarkus.platform/quarkus-bom@2.13.8.SP3-redhat-00001?repository_url=https://maven.repository.redhat.com/ga/&type=pom",
                    "base": {
                        "uuid": "eb87eb3b-0dbf-5f1b-9198-94f453fd74f7",
                        "purl": "pkg://maven/com.redhat.quarkus.platform/quarkus-bom"
                    },
                    "version": {
                        "uuid": "13198d8e-0202-541f-9a34-84e86f3725ad",
                        "purl": "pkg://maven/com.redhat.quarkus.platform/quarkus-bom@2.13.8.SP3-redhat-00001",
                        "version": "2.13.8.SP3-redhat-00001"
                    },
                    "qualifiers": {
                        "repository_url": "https://maven.repository.redhat.com/ga/",
                        "type": "pom"
                    }
                }
            ],
            "cpe": [
                "cpe:/a:redhat:quarkus:2.13:*:el8:*"
            ]
        }
    ],
    "advisories": []
}

Here is the problem:

  • Using the products endpoints I get a one-one relationship between "sbom" and "version"
  • Using the SBOM endpoint I get a one-many relationship between "sbom" and "version". In this case there is not even a direct field but it is embedded within the "described_by" ARRAY field.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant