Fix crash when parsing valid CycloneDX formats missing optional metadata fields #896
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Signed-off-by: Kurt Boberg <[email protected]>
kurt-r2c
force-pushed
the
kb/component-metadata-spec-adherence
branch
from
255c0d1 to
7838840
Compare
| toplevel := c.getPackageElement(string(c.cdxBom.Metadata.Component.BOMRef)) | ||
| var toplevel []*model.PkgInputSpec = nil | ||
|
|
||
| if c.cdxBom.Metadata.Component != nil && c.cdxBom.Metadata.Component.BOMRef != "" { |
There was a problem hiding this comment.
Hello @kurt-r2c! Thanks for the PR! This is something that warrants further discussion/thought on how it should be handled in GUAC, as we could potentially not have a top-level component. I will keep you posted and we can update this PR as needed.
There was a problem hiding this comment.
I am wondering what the use case of having a CDX document without the top level component is for... if it is the case where it is interpretted as here's a list of all the components I use, then it should parse to a bunch of singletons, however, if it is not , then my thought would be to either use the generic guac/cdx/<name> or to just reject it. let's make sure we have this on the priority for triage.
|
Hey @kurt-r2c, could you elaborate a bit more on your use case here? Based on the PR, it would generate |
|
@pxp928 I was just trying to ingest a Python CycloneDX SBOM generated for a project using https://pypi.org/project/cyclonedx-bom/ to start exploring the tool. The SBOM output from |
It seems like for now we will need to output a message that this is not currently supported at this time and work through a solution or some type of validation on the data before it is ingested into GUAC. I will create a PR to handle this use case gracefully. |
|
Yea let's perhaps add a message and link to this issue for discussion in the warning message. In case someone else comes along with a use case and a way to handle it. |
Description of the PR
Fixes #169.
As of 0d557cb,
guacstill crashes on the example from #169 (referenced also in #199): https://github.com/JupiterOne/graph-github/blob/43fa5c43078eb16fad904fd1567133f9c296ea7f/reports/bom.json#L6-L11The root cause is this line of code:
guac/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go
Line 205 in cb2b6fe
The CycloneDX specification as of 1.4 does not require the
componentfield inmetadata, nor does it require the BOM ref field: https://cyclonedx.org/docs/1.4/json/#metadata_component_bom-ref.guacwas encountering a NPE when trying to read these uninitialized fields from the CycloneDX struct.Some SBOM generators that only operate on package lockfiles (such as https://pypi.org/project/cyclonedx-bom/) do not generate the
componentmetadata field, nor are they required to by the spec.This change makes the existence of this field optional and "fails closed" to the
nilhandler introduced by #603 - I believe this preserves the intent of the design while gracefully handling the non-existence of this metadata field.The test I added is not great - it does check that a schema without these fields in metadata parses but the predicate output is
nildue to the existing handlers, which I did not want to make sweeping changes to. I leave this up to the maintainers to decide how this should behave.PR Checklist
-sflag togit commit.make generatehas been runcollectsubprotobuf has been changed,make protohas been run