Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generating duplicate in relationships in CycloneDX #2062

Closed
ShuP1 opened this issue Aug 25, 2023 · 2 comments · Fixed by #2063
Closed

Generating duplicate in relationships in CycloneDX #2062

ShuP1 opened this issue Aug 25, 2023 · 2 comments · Fixed by #2063
Assignees
Labels
bug Something isn't working format:cyclonedx CycloneDX related enhancement or bug

Comments

@ShuP1
Copy link

ShuP1 commented Aug 25, 2023

What happened:

Syft produces invalid CycloneDX SBOM at least for apkdb-cataloger cataloger.
Due to duplicated refs in dependencies

CycloneDX JSON Reference #dependencies states:

All items must be unique

This rule is enforced by https://github.com/CycloneDX/cyclonedx-cli

What you expected to happen:

Syft produces a valid SBOM.

Steps to reproduce the issue:

> syft packages alpine:latest -o cyclonedx-json > sbom.json
> cyclonedx-cli validate --input-file sbom.json
Unable to validate against any JSON schemas.
BOM is not valid.
> cyclonedx-cli validate --input-file sbom.json --input-version v1_4
Validating JSON BOM...
Validation failed: Found duplicates at the following index pairs: "(2, 4)"
#/properties/dependencies/uniqueItems
BOM is not valid.

Anything else we need to know?:

/* ... */
"dependencies": [
    {
      "ref": "pkg:apk/alpine/alpine-baselayout@3.4.3-r1?arch=x86_64&distro=alpine-3.18.3&package-id=4457aba38f428cff",
      "dependsOn": [
        "pkg:apk/alpine/alpine-baselayout-data@3.4.3-r1?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.18.3&package-id=afce4445f1c5ffeb"
      ]
    },
    {
      "ref": "pkg:apk/alpine/alpine-baselayout@3.4.3-r1?arch=x86_64&distro=alpine-3.18.3&package-id=4457aba38f428cff",
      "dependsOn": [
        "pkg:apk/alpine/busybox-binsh@1.36.1-r2?arch=x86_64&upstream=busybox&distro=alpine-3.18.3&package-id=337ecb49f16db0b4"
      ]
    },
/* ... */

Should be:

/* ... */
"dependencies": [
    {
      "ref": "pkg:apk/alpine/alpine-baselayout@3.4.3-r1?arch=x86_64&distro=alpine-3.18.3&package-id=4457aba38f428cff",
      "dependsOn": [
        "pkg:apk/alpine/alpine-baselayout-data@3.4.3-r1?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.18.3&package-id=afce4445f1c5ffeb",
        "pkg:apk/alpine/busybox-binsh@1.36.1-r2?arch=x86_64&upstream=busybox&distro=alpine-3.18.3&package-id=337ecb49f16db0b4"
      ]
    },
/* ... */

Environment:

  • Output of syft version: 0.87.1
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.3 LTS
@ShuP1 ShuP1 added the bug Something isn't working label Aug 25, 2023
@ShuP1 ShuP1 changed the title Invalide CycloneDX: duplicates in relationships section Invalid CycloneDX: duplicates in relationships section Aug 25, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 25, 2023

Thanks for the report @ShuP1

@kzantow kzantow moved this to In Progress in OSS Aug 25, 2023
@kzantow kzantow self-assigned this Aug 25, 2023
@kzantow kzantow moved this from In Progress to In Review in OSS Aug 25, 2023
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Aug 25, 2023
@ShuP1
Copy link
Author

ShuP1 commented Aug 26, 2023

That was fast! Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working format:cyclonedx CycloneDX related enhancement or bug
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

3 participants