Not all the packages are getting imported in Blackduck scanner #2840
Comments
|
Hi @Naranthiran, thanks for the report. Can you attach a copy of sbom.050524.json to this issue? It looks like there are a bunch of errors related to symlinks in the scan output. It would be helpful if we could also see the contents of the tar file. Could we have access to the tar file itself? If not, a complete file listing from the tar archive would be a good start. Thanks! |
|
Hi Tim, I have attached the SBOM. The tar file is a filesystem which was created using the image builder tool. If you have subscribed, you can generate the tar file from the RedHat console. I will not be able to upload as the files size in huge.. Regards |
|
Hi @Naranthiran, I checked out the SBOM and I see over 600 entries, about what I would expect. Running Grype against it reports a bunch of possible vulnerabilities. Can you explain in more detail the problem on the Syft side here? I am not familiar with Blackduck's scanning software and you might need to contact them for information about their tool. Thanks! |
|
Hi Tim, Thanks for your response. From the BlackDuck side, I understand that the package name and referenceLocator files were not matching. Regards |
|
Hi Naranthiran, as far as I can tell, your method of calling Syft is fine, and I don't see anything out of the ordinary in the generated SBOM. It does look like Blackduck is expecting something different. It might be some sort of incompatibility between the tools but we would be happy to look. Would you be able to contact Blackduck and open a support ticket there? We would be happy to explore the problem. Thanks, Tim |
scann_outpu.txt
What happened:
I am trying to generate SBOM for my RHEL 7 custom image which is built using image builder. And I am executing the below command
#syft /root/isomount/input/liveimg.tar.gz --select-catalogers "+sbom-cataloger" -o spdx-json=sbom.050524.json
Please correct me if the command and its parameters provided are wrong.
What you expected to happen:
While importing the SBOM generated using the above command out of 650 components only 58 are imported.
Error:
openssl1.1.1kpkg:generic/openssl@1.1.1k | | Component Not FoundUnable to map scanned component version to Black Duck project version because no mapping is present for the given external identifier
Steps to reproduce the issue:
1)Generated an RHEL 8 image using the imaged builder.
2)Download the image from the image builder and generate the SBOM.
#syft /root/isomount/input/liveimg.tar.gz --select-catalogers "+sbom-cataloger" -o spdx-json=sbom.050524.json
3)Import the SBOM in the Blackduck scanner.
Anything else we need to know?:
I have attached the scan logs,
Environment: x86_64
syft version: syft 1.1.1cat /etc/os-releaseor similar): RHEL 8.8The text was updated successfully, but these errors were encountered: