Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v0.99.0: CycloneDX json output breaks osv-scanner #2467

Closed
thejan2009 opened this issue Jan 4, 2024 · 1 comment
Closed

v0.99.0: CycloneDX json output breaks osv-scanner #2467

thejan2009 opened this issue Jan 4, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@thejan2009
Copy link

What happened:

The latest syft release doesn't cooperate with osv-scanner (v1.5.0) any more:

[~] syft packages registry:docker.io/alpine:3.19.0 -o cyclonedx-json=alpine.cdx.json
 ✔ Parsed image                                                                                                                                                                       sha256:1dc785547989b0db1c3cd9949c57574393e69bea98bfe044b0588e24721aa402
 ✔ Cataloged file metadata         [527 locations]
 ✔ Cataloged packages              [16 packages]
 ✔ Cataloged file digests          [840 digests]
[~] osv-scanner --sbom alpine.cdx.json
Failed to parse SBOM using all supported formats:
failed to parse SPDX:
        failed trying json: JSON document does not contain spdxVersion field
        failed trying rdf: found extra chars before tag start
        failed trying tv: unsupported SPDX version: ''
failed to parse CycloneDX:
        failed trying json: json: cannot unmarshal object into Go struct field Metadata.metadata.tools of type []cyclonedx.Tool
        failed trying xml: XML syntax error on line 1: invalid character entity &distro (no semicolon)
No package sources found, --help for usage information.

What you expected to happen:
SBOM to be scanned successfully.

Steps to reproduce the issue:
See above.

Anything else we need to know?:

Environment:

  • Output of syft version:
    v0.99.0
  • OS (e.g: cat /etc/os-release or similar):
    Happens both in alpine-based CI environment and on a mac.
@thejan2009 thejan2009 added the bug Something isn't working label Jan 4, 2024
@thejan2009
Copy link
Author

I see this would be more of a osv-scanner issue because it depends on a "deprecated" metadata.tools parameter. The diff between v0.98 and v0.99 is

5c5
<   "serialNumber": "urn:uuid:e6b1b429-72b8-488b-b990-af04d52a6a72",
---
>   "serialNumber": "urn:uuid:02b25cda-2ace-468a-9fa9-51514035e167",
8,15c8,18
<     "timestamp": "2024-01-04T07:17:24+01:00",
<     "tools": [
<       {
<         "vendor": "anchore",
<         "name": "syft",
<         "version": "0.98.0"
<       }
<     ],
---
>     "timestamp": "2024-01-04T07:07:25+01:00",
>     "tools": {
>       "components": [
>         {
>           "type": "application",
>           "author": "anchore",
>           "name": "syft",
>           "version": "0.99.0"
>         }
>       ]
>     },

@Porkepix Porkepix mentioned this issue Jan 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thejan2009