Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

empty name #3194

Closed
idefixcert opened this issue Sep 4, 2024 · 5 comments
Closed

empty name #3194

idefixcert opened this issue Sep 4, 2024 · 5 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog

Comments

@idefixcert
Copy link

What happened:
Some of the components I get on a system have an empty name like:

   {
      "bom-ref": "5c2ce977a3f2f724",
      "type": "library",
      "name": "",
      "version": "1.8",
      "licenses": [
        {
          "license": {
            "name": "GPL"
          }
        }
      ],
      "purl": "pkg:generic/@1.8",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "linux-kernel-cataloger"
        },

I looked into the code and saw that there is a IsValid function for packages (

syft/syft/pkg/package.go

Lines 83 to 85 in 1aaa644

func IsValid(p *Package) bool {
return p != nil && p.Name != ""
}
).
but not all of the cataloger do respect that.

What you expected to happen:

I would expect that components (packages) that are not valid would not get exported.

Steps to reproduce the issue:

I ran that on a local filesystem.

Anything else we need to know?:

NO

Environment:

  • Output of syft version:
    latest master, because I also tested with the source and own compilation.
    but also 1.11.1

  • OS (e.g: cat /etc/os-release or similar):

in my case the following patch helped:

Index: syft/pkg/cataloger/ruby/parse_gemspec.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/syft/pkg/cataloger/ruby/parse_gemspec.go b/syft/pkg/cataloger/ruby/parse_gemspec.go
--- a/syft/pkg/cataloger/ruby/parse_gemspec.go	(revision 7c96a10cbea82e94c843112c8394abac7672b0dc)
+++ b/syft/pkg/cataloger/ruby/parse_gemspec.go	(date 1725491039246)
@@ -102,13 +102,13 @@
 			return nil, nil, fmt.Errorf("unable to decode gem metadata: %w", err)
 		}
 
-		pkgs = append(
-			pkgs,
-			newGemspecPackage(
-				metadata,
-				reader.Location,
-			),
+		p := newGemspecPackage(
+			metadata,
+			reader.Location,
 		)
+		if pkg.IsValid(&p) {
+			pkgs = append(pkgs, p)
+		}
 	}
 
 	return pkgs, nil, nil
Index: syft/pkg/cataloger/kernel/parse_linux_kernel_module_file.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/syft/pkg/cataloger/kernel/parse_linux_kernel_module_file.go b/syft/pkg/cataloger/kernel/parse_linux_kernel_module_file.go
--- a/syft/pkg/cataloger/kernel/parse_linux_kernel_module_file.go	(revision 7c96a10cbea82e94c843112c8394abac7672b0dc)
+++ b/syft/pkg/cataloger/kernel/parse_linux_kernel_module_file.go	(date 1725490779123)
@@ -30,12 +30,14 @@
 
 	metadata.Path = reader.Location.RealPath
 
-	return []pkg.Package{
-		newLinuxKernelModulePackage(
-			*metadata,
-			reader.Location,
-		),
-	}, nil, nil
+	p := newLinuxKernelModulePackage(
+		*metadata,
+		reader.Location,
+	)
+	if pkg.IsValid(&p) {
+		return []pkg.Package{p}, nil, nil
+	}
+	return []pkg.Package{}, nil, nil
 }
 
 func parseLinuxKernelModuleMetadata(r unionreader.UnionReader) (p *pkg.LinuxKernelModule, err error) {
Index: syft/pkg/cataloger/kernel/parse_linux_kernel_file.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/syft/pkg/cataloger/kernel/parse_linux_kernel_file.go b/syft/pkg/cataloger/kernel/parse_linux_kernel_file.go
--- a/syft/pkg/cataloger/kernel/parse_linux_kernel_file.go	(revision 7c96a10cbea82e94c843112c8394abac7672b0dc)
+++ b/syft/pkg/cataloger/kernel/parse_linux_kernel_file.go	(date 1725490728661)
@@ -35,12 +35,14 @@
 		return nil, nil, nil
 	}
 
-	return []pkg.Package{
-		newLinuxKernelPackage(
-			metadata,
-			reader.Location,
-		),
-	}, nil, nil
+	p := newLinuxKernelPackage(
+		metadata,
+		reader.Location,
+	)
+	if pkg.IsValid(&p) {
+		return []pkg.Package{p}, nil, nil
+	}
+	return []pkg.Package{}, nil, nil
 }
 
 func parseLinuxKernelMetadata(magicType []string) (p pkg.LinuxKernel) {
Index: syft/pkg/cataloger/ruby/parse_gemfile_lock.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/syft/pkg/cataloger/ruby/parse_gemfile_lock.go b/syft/pkg/cataloger/ruby/parse_gemfile_lock.go
--- a/syft/pkg/cataloger/ruby/parse_gemfile_lock.go	(revision 7c96a10cbea82e94c843112c8394abac7672b0dc)
+++ b/syft/pkg/cataloger/ruby/parse_gemfile_lock.go	(date 1725490344297)
@@ -42,13 +42,14 @@
 			if len(candidate) != 2 {
 				continue
 			}
-			pkgs = append(pkgs,
-				newGemfileLockPackage(
-					candidate[0],
-					strings.Trim(candidate[1], "()"),
-					reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
-				),
+			p := newGemfileLockPackage(
+				candidate[0],
+				strings.Trim(candidate[1], "()"),
+				reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 			)
+			if pkg.IsValid(&p) {
+				pkgs = append(pkgs, p)
+			}
 		}
 	}
 	if err := scanner.Err(); err != nil {
@idefixcert idefixcert added the bug Something isn't working label Sep 4, 2024
@idefixcert
Copy link
Author

I opened an pull request for it:
#3199

@willmurphyscode
Copy link
Contributor

@idefixcert thanks for the issue and the PR!

We still have a couple questions before understanding the issue and reviewing the PR:

  1. Is there a publicly available artifact that exhibits this problem? We'd like to understand how Syft makes a package that has no name - it could be that the bug is further upstream, and we need to improve the code where Syft tries to detect the name, rather than drop the malformed package before it's returned by the cataloger.
  2. Are you running Syft with default config?

The code I think might need to be fixed is

syft/syft/pkg/cataloger/kernel/parse_linux_kernel_module_file.go

Lines 124 to 125 in fcd5ec9

case "name":
k.Name = value

Are you able to see what's going on there? Is it possible the kernel module specifies its name in a different field or something?

@rhartman93
Copy link

rhartman93 commented Sep 23, 2024
edited
Loading

I'm not sure if i'm in the exact same boat, but I was inspecting an SBOM for an image I built that was constructed with syft, and I have several instances of this for rubygems.

        {
            "bom-ref": "4dabbdca5e182531",
            "type": "library",
            "name": "",
            "purl": "pkg:gem/",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "ruby-gemspec-cataloger"
                },
                {
                    "name": "syft:package:language",
                    "value": "ruby"
                },
                {
                    "name": "syft:package:type",
                    "value": "gem"
                },
                {
                    "name": "syft:package:metadataType",
                    "value": "ruby-gemspec"
                },
                {
                    "name": "syft:location:0:path",
                    "value": "/root/.cache/gem/specs/index.rubygems.org%443/quick/Marshal.4.8/chef-utils-18.5.0.gemspec"
                }
            ]
        },
        {
            "bom-ref": "b8e9734ad545ac63",
            "type": "library",
            "name": "",
            "purl": "pkg:gem/",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "ruby-gemspec-cataloger"
                },
                {
                    "name": "syft:package:language",
                    "value": "ruby"
                },
                {
                    "name": "syft:package:type",
                    "value": "gem"
                },
                {
                    "name": "syft:package:metadataType",
                    "value": "ruby-gemspec"
                },
                {
                    "name": "syft:location:0:path",
                    "value": "/root/.cache/gem/specs/index.rubygems.org%443/quick/Marshal.4.8/concurrent-ruby-1.3.4.gemspec"
                }
            ]
        },
        {
            "bom-ref": "678cc9015e228b05",
            "type": "library",
            "name": "",
            "purl": "pkg:gem/",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "ruby-gemspec-cataloger"
...

I can push the image somewhere public if it would be helpful to inspect, and/or share the full sbom. I notice in my case, each gem has the same (presumably) incomplete purl, so not 100% sure if this is the same issue as what opened this thread

@willmurphyscode
Copy link
Contributor

This might be addressed by #3257 when that is released.

@willmurphyscode
Copy link
Contributor

We believe this was fixed by #3257 release in Syft 1.14.0. If we're wrong, please let us know!

@github-project-automation github-project-automation bot moved this to Done in OSS Oct 14, 2024
@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wagoodman @idefixcert @rhartman93 @willmurphyscode