Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CycloneDX OS component does not have a bom-ref #2101

Closed
kzantow opened this issue Sep 6, 2023 · 2 comments · Fixed by #2634
Closed

CycloneDX OS component does not have a bom-ref #2101

kzantow opened this issue Sep 6, 2023 · 2 comments · Fixed by #2634
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@kzantow
Copy link
Contributor

kzantow commented Sep 6, 2023

What happened:
Running syft ubuntu:latest -o cyclonedx-json includes a component representing the operating system, but it does not include a bom-ref:

    {
      "type": "operating-system",
      "name": "ubuntu",
      "version": "22.04",
      "description": "Ubuntu 22.04.3 LTS",
      "swid": {
        "tagId": "ubuntu", 
        "name": "ubuntu",
        "version": "22.04"
      },
      "externalReferences": [
        { 
          "url": "https://bugs.launchpad.net/ubuntu/",
          "type": "issue-tracker"
        },
        {
          "url": "https://www.ubuntu.com/",
          "type": "website"
        },
        {
          "url": "https://help.ubuntu.com/",
          "comment": "support",
          "type": "other"
        },
        {
          "url": "https://www.ubuntu.com/legal/terms-and-policies/privacy-policy",
          "comment": "privacyPolicy",
          "type": "other"
        }
      ],
      "properties": [
        {
          "name": "syft:distro:id",
          "value": "ubuntu"
        },
        {
          "name": "syft:distro:idLike:0",
          "value": "debian"
        },
        {
          "name": "syft:distro:prettyName",
          "value": "Ubuntu 22.04.3 LTS"
        },
        {
          "name": "syft:distro:versionCodename",
          "value": "jammy"
        },
        {
          "name": "syft:distro:versionID",
          "value": "22.04"
        }
      ]
    }

What you expected to happen:
A bom-ref is set for the component.

Steps to reproduce the issue:
syft ubuntu:latest -o cyclonedx-json

Anything else we need to know?:

Environment:

  • Output of syft version:
    Application: syft
    Version: 0.89.0
    BuildDate: 2023-08-31T14:50:32Z
    GitCommit: Homebrew
    GitDescription: [not provided]
    Platform: darwin/amd64
    GoVersion: go1.21.0
    Compiler: gc
@kzantow kzantow added the bug Something isn't working label Sep 6, 2023
@kzantow
Copy link
Contributor Author

kzantow commented Sep 6, 2023
edited by wagoodman
Loading

This is probably the culprit:

syft/syft/format/common/cyclonedxhelpers/to_format_model.go

Lines 85 to 102 in 25ae7bf

return []cyclonedx.Component{
{
Type: cyclonedx.ComponentTypeOS,
// FIXME is it idiomatic to be using SWID here for specific name and version information?
SWID: &cyclonedx.SWID{
TagID: distro.ID,
Name: distro.ID,
Version: distro.VersionID,
},
Description: distro.PrettyName,
Name: distro.ID,
Version: distro.VersionID,
// TODO should we add a PURL?
CPE: formatCPE(distro.CPEName),
ExternalReferences: eRefs,
Properties: properties,
},
}

@wagoodman wagoodman added this to OSS Feb 7, 2024
@wagoodman wagoodman moved this to Ready in OSS Feb 7, 2024
@wagoodman
Copy link
Contributor

One question I have about this is what should the bom-ref value be? Options:

The only requirements given in the CycloneDX spec: "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique."

The awkwardness with a PURL is that this component doesn't semantically represent a package, so a simple string is probably preferred here. Open to other suggestions

@kzantow kzantow self-assigned this Feb 13, 2024
@kzantow kzantow moved this from Ready to In Progress in OSS Feb 13, 2024
@kzantow kzantow mentioned this issue Feb 13, 2024
Merged
@wagoodman wagoodman moved this from In Progress to In Review in OSS Feb 13, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Feb 14, 2024
@BrewTestBot BrewTestBot mentioned this issue Feb 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add BOMRef to CycloneDX OS Component kzantow-anchore/syft
2 participants
@wagoodman @kzantow