Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When generating SBOM for a directory, no download location values can be found #2085

Open
Auston-Zhang opened this issue Sep 1, 2023 · 1 comment
Open

When generating SBOM for a directory, no download location values can be found #2085

Auston-Zhang opened this issue Sep 1, 2023 · 1 comment
Labels
bug Something isn't working windows regarding the windows OS

Comments

@Auston-Zhang
Copy link
Contributor

Auston-Zhang commented Sep 1, 2023
edited
Loading

What happened:

When generating SBOM for a directory, all download location values are "NOASSERTOIN", even if the ecosystem is Javascript/NPM

What you expected to happen:

We should see download location values (URL) in the generated SBOM file.

Take package @pkgjs/parseargs as an example, it has url, so in the SBOM file we should see the value for download locatoin as [email protected]:pkgjs/parseargs.git

"repository": {
"type": "git",
"url": "[email protected]:pkgjs/parseargs.git"
}

Steps to reproduce the issue:

  1. clone a repo https://github.com/airbnb/javascript
  2. run 'npm install' in the folder of the cloned repo
  3. run syft, in my case the command is 'syft C:\test-syft\javascript -o spdx-json > test-after-npm-install.json'
  4. open the generated SBOM file (attached) with an editor/IDE, search ' "downloadLocation": " ', see the count
  5. search ' "downloadLocation": "NOASSERTOIN" ', the count is the same as the previous count, which means all the download location values are "NOASSERTION"

Anything else we need to know?:

Not sure if I should call it a bug or it is expected behavior. If it is expected behaviour, could you please let me know? Thanks!

Github does not support uploading json file, so sharing it with the Google drive link:
https://drive.google.com/file/d/1kUxQFMoihrpOXvwxt5di6Mv7BXnWSLcN/view?usp=sharing

Environment:

  • Output of syft version: 0.89.0
  • OS (e.g: cat /etc/os-release or similar): Microsoft Windows [Version 10.0.19045.3324]
@Auston-Zhang Auston-Zhang added the bug Something isn't working label Sep 1, 2023
@kzantow kzantow moved this to Backlog in OSS Sep 1, 2023
@Auston-Zhang
Copy link
Contributor Author

Auston-Zhang commented Sep 1, 2023
edited
Loading

To give more context, after checking the code, I feel Syft is running in this way:
(This only applies to the JavaScript ecosystem, haven't looked into other ecosystems yet, of course lots of work will be done for other ecosystems)

  1. if scanning a directory, the cataloger will check package-lock.json
  2. if scanning an image, the cataloger will check package.json

not sure if it is a quick fix,

syft/syft/formats/common/spdxhelpers/download_location.go

Line 17 in 007b034

if hasMetadata(p) {

in the source code, adding the code snippet below,

case pkg.NpmPackageLockJSONMetadata:
  return NoneIfEmpty(metadata.Resolved)

which will look like

if hasMetadata(p) {
		switch metadata := p.Metadata.(type) {
		case pkg.ApkMetadata:
			return NoneIfEmpty(metadata.URL)
		case pkg.NpmPackageJSONMetadata:
			return NoneIfEmpty(metadata.URL)
                // new code added
                case pkg.NpmPackageLockJSONMetadata:
                        return NoneIfEmpty(metadata.Resolved)
		}
	}

and seems it can make the SBOM (directory) has downloadLocation values

@Auston-Zhang Auston-Zhang mentioned this issue Sep 7, 2023
Closed
@spiffcs spiffcs added the windows regarding the windows OS label Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working windows regarding the windows OS
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spiffcs @Auston-Zhang