Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ingestion/data-quality issue] CycloneDX specification as of 1.4 does not require the component field in metadata #976

Open
pxp928 opened this issue Jun 22, 2023 · 3 comments
Open

[ingestion/data-quality issue] CycloneDX specification as of 1.4 does not require the component field in metadata #976

pxp928 opened this issue Jun 22, 2023 · 3 comments
Labels
bug Something isn't working data-quality Things related to data quality and document ingestion data-sources

Comments

@pxp928
Copy link
Collaborator

pxp928 commented Jun 22, 2023
edited
Loading

Describe the bug

Discovered by kurt-r2c in original PR #896:

The CycloneDX specification as of 1.4 does not require the component field in metadata, nor does it require the BOM ref field: https://cyclonedx.org/docs/1.4/json/#metadata_component_bom-ref.

guac was encountering a NPE when trying to read these uninitialized fields from the CycloneDX struct.

Some SBOM generators that only operate on package lockfiles (such as https://pypi.org/project/cyclonedx-bom/) do not generate the component metadata field, nor are they required to by the spec.

To Reproduce

ingestion of an SBOM that is generated by SBOM generators that only operate on package lockfiles (such as https://pypi.org/project/cyclonedx-bom/) that do not generate the component metadata field.

Expected behavior

Currently, output an error message that this is not currently supported as there would be no top-level package node and would result in a bunch of singleton packages. Further discussion and handling will need to be done to handle this use-case.

GUAC version
v0.1
@pxp928 pxp928 added bug Something isn't working data-quality Things related to data quality and document ingestion data-sources labels Jun 22, 2023
This was referenced Jun 28, 2023
Merged
Closed
@lumjjb
Copy link
Contributor

lumjjb commented Jul 5, 2023

@kurt-r2c wanted to check back here, want to see what other use cases we need to handle here that stemmed from discussion of this issue.

This was referenced Aug 16, 2023
Merged
Open
@joestein
Copy link

What more specifically needs to be added to the "component field in metadata" to make a CycloneDX file work? Do you have an example of what will work so folks can add that to their CycloneDX output and still make it work with GUAC (even if the spec doesn't support it no biggie to overlay the field post output from existing generators).

@pxp928
Copy link
Collaborator Author

pxp928 commented Aug 17, 2023

Hey @joestein, at the minimum GUAC requires the following in the component field in the metadata:

guac/internal/testing/testdata/exampledata/alpine-cyclonedx.json

Lines 15 to 20 in e55fa24

"component": {
"bom-ref": "685d54d5e8f71d2f",
"type": "container",
"name": "docker.io/library/alpine:latest",
"version": "sha256:cbaa390ec61abd889dfa5146a411c11717c19ef9e5e18458dbdc06439076ffe7"
}

At the minimum, it needs the name, version, type, and bom-ref. If the purl is available, that would be the best as guac does not need to infer. Based on the CycloneDX spec the version and bom-ref are not required fields but provide a more accurate SBOM.

Without this information, GUAC cannot make proper relationships between the top-level component and its dependencies (resulting in a bunch of singletons).

@joestein joestein mentioned this issue Aug 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working data-quality Things related to data quality and document ingestion data-sources
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joestein @lumjjb @pxp928