Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect downloadLocation for certain NPM packages #2129

Closed
pushkargr opened this issue Sep 14, 2023 · 2 comments · Fixed by #2238
Closed

Incorrect downloadLocation for certain NPM packages #2129

pushkargr opened this issue Sep 14, 2023 · 2 comments · Fixed by #2238
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog

Comments

@pushkargr
Copy link

What happened:
We are seeing multiple instances where the downloadLocation is populated with either incorrect URL or incorrect format of the URL.

Example of incorrect URL:
Here the downloadLocation is not even a complete URL.

        {
            "name": "is-stream",
            "SPDXID": "SPDXRef-Package-npm-is-stream-0db19bd1a9355512",
            "versionInfo": "2.0.1",
            "supplier": "Person: Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)",
            "originator": "Person: Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)",
            "downloadLocation": "sindresorhus/is-stream",
            "filesAnalyzed": false,
            "sourceInfo": "acquired package info from installed node module manifest file: /app/node_modules/winston/node_modules/is-stream/package.json",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "MIT",
            "copyrightText": "NOASSERTION",
            "description": "Check if something is a Node.js stream",
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is-stream:is-stream:2.0.1:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is-stream:is_stream:2.0.1:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is_stream:is-stream:2.0.1:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is_stream:is_stream:2.0.1:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is:is-stream:2.0.1:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is:is_stream:2.0.1:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:npm/is-stream@2.0.1"
                }
            ]
        },

Example of incorrect URL format:
downloadLocation value git@github.com:colorjs/color-name.git does not comply with the accepted formats for Git by https://spdx.github.io/spdx-spec/v2.3/package-information/#77-package-download-location-field

In the same document for some packages the Git location is populated correctly so not sure why some are populated with incorrect format.

        {
            "name": "color-name",
            "SPDXID": "SPDXRef-Package-npm-color-name-f50dd38ce4dc2ed1",
            "versionInfo": "1.1.4",
            "supplier": "Person: DY <dfcreative@gmail.com>",
            "originator": "Person: DY <dfcreative@gmail.com>",
            "downloadLocation": "git@github.com:colorjs/color-name.git",
            "filesAnalyzed": false,
            "homepage": "https://github.com/colorjs/color-name",
            "sourceInfo": "acquired package info from installed node module manifest file: /app/node_modules/color-name/package.json",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "MIT",
            "copyrightText": "NOASSERTION",
            "description": "A list of color names and its values",
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:color-name:color-name:1.1.4:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:color-name:color_name:1.1.4:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:color_name:color-name:1.1.4:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:color_name:color_name:1.1.4:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:colorjs:color-name:1.1.4:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:colorjs:color_name:1.1.4:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:color:color-name:1.1.4:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:color:color_name:1.1.4:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:npm/color-name@1.1.4"
                }
            ]
        }

What you expected to happen:

downloadLocation is one of the fields that is verified by https://github.com/spdx/ntia-conformance-checker and due to these issues the checks are failing.

  • Either these URLs are fixed for correctness
  • Or NOASSERSION is populated if the program is not able to fetch correct URL

Steps to reproduce the issue:

Anything else we need to know?:

Environment:

  • Output of syft version: v0.89.0
  • OS (e.g: cat /etc/os-release or similar): Alpine Linux v3.16
@pushkargr pushkargr added the bug Something isn't working label Sep 14, 2023
@kzantow kzantow mentioned this issue Sep 14, 2023
Closed
@kzantow kzantow changed the title Incorrect downloadLocation formats populated Incorrect downloadLocation for certain NPM packages Sep 14, 2023
@kzantow kzantow moved this to In Review in OSS Sep 14, 2023
@wagoodman wagoodman mentioned this issue Oct 20, 2023
Merged
@wagoodman
Copy link
Contributor

This looks to have been addressed in the merged PR -- shout out if this isn't correct and we can reopen

@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Feb 9, 2024
@wagoodman wagoodman added the changelog-ignore Don't include this issue in the release changelog label Feb 9, 2024
@aniketdn
Copy link

aniketdn commented Jul 3, 2024

I am facing the same issue for NPM packages. The downloadLocation is not a proper URL and hence is failing the ntia-checker.

Environment:

Output of syft version: 1.8.0
OS (e.g: cat /etc/os-release or similar): Oracle Linux Server v8.4

Sample Package info generated by syft

  {
            "name": "is-number",
            "SPDXID": "SPDXRef-Package-npm-is-number-76c5d4854e8a9697",
            "versionInfo": "7.0.0",
            "supplier": "Person: Jon Schlinkert",
            "originator": "Person: Jon Schlinkert",
            "downloadLocation": "jonschlinkert/is-number",
            "filesAnalyzed": false,
            "homepage": "https://github.com/jonschlinkert/is-number",
            "sourceInfo": "acquired package info from installed node module manifest file: /migrate-mongo/node_modules/is-number/package.json",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "MIT",
            "copyrightText": "NOASSERTION",
            "description": "Returns true if a number or string value is a finite number. Useful for regex matches, parsing, user input, etc.",
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:jonschlinkert:is-number:7.0.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:jonschlinkert:is_number:7.0.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is-number:is-number:7.0.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is-number:is_number:7.0.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is_number:is-number:7.0.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is_number:is_number:7.0.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is:is-number:7.0.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:is:is_number:7.0.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:npm/is-number@7.0.0"
                }
            ]
        }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog
Projects
OSS
Archived in project
Milestone
No milestone
3 participants
@wagoodman @pushkargr @aniketdn