Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies #3158

Open
joaquinricci opened this issue Aug 22, 2024 · 2 comments · May be fixed by #3572
Open

Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies #3158

joaquinricci opened this issue Aug 22, 2024 · 2 comments · May be fixed by #3572
Labels
bug Something isn't working good-first-issue Good for newcomers

Comments

@joaquinricci
Copy link

joaquinricci commented Aug 22, 2024
edited
Loading

What happened:

Trivy tool had the same issue which was raised here.

We are using syft to generate SBOMs for our Dart/Flutter project.
Syft incorrectly generates a dependency for flutter@0.0.0, ignoring the sdk setting.

Corresponding part of the pubspec.lock:


flutter:
    dependency: "direct main"
    description: flutter
    source: sdk
    version: "0.0.0"

As you can see it specifies source as sdk.

Further down in the pubspec.lock file there is more information on the sdk version:

sdks:
  dart: ">=2.15.1 <3.0.0"
  flutter: ">=2.8.0"

What you expected to happen:

The generated SBOM should not contain the incorrect (but unfortunately valid) version 0.0.0.

Steps to reproduce the issue:

Our project code is private, but the problem exists in any Flutter project.

You can reproduce the problem easily by running syft scan dir:./ -o spdx-json=sbom.spdx.json on this project:

https://github.com/KhoaSuperman/findseat/

Anything else we need to know?:

One more thing, dart ain't been added to the SBOM either. So it is not only flutter that fails due to the actuall version been in the sdks zone but also dart is not being captured.

Environment:

  • Output of syft version: 1.11.1
  • OS (e.g: cat /etc/os-release or similar): Sonoma 14.1
@joaquinricci joaquinricci added the bug Something isn't working label Aug 22, 2024
@kzantow
Copy link
Contributor

kzantow commented Aug 22, 2024

Thanks for the report @joaquinricci, do all of these have source: sdk?

@kzantow kzantow moved this to Ready in OSS Aug 22, 2024
@kzantow kzantow added the good-first-issue Good for newcomers label Aug 22, 2024
@joaquinricci
Copy link
Author

joaquinricci commented Aug 23, 2024
edited
Loading

Hey @kzantow , thanks for the ⚡ reply.

Thanks for the report @joaquinricci, do all of these have source: sdk?

I believe the answer is yes, I couldn't find the pubspec.lock documentation, but according to this dart documentation about sdks, aside from dart itself, flutter is currently the only other sdk.

Now, if you check this example, you can see that both flutter_web_plugins and flutter_test have the source parameter since those packages depend on the flutter SDK

  flutter_test:
    dependency: "direct dev"
    description: flutter
    source: sdk
    version: "0.0.0"
  flutter_time_picker_spinner:
    dependency: "direct main"
    description:
      name: flutter_time_picker_spinner
      url: "https://pub.dartlang.org"
    source: hosted
    version: "2.0.0"
  flutter_web_plugins:
    dependency: transitive
    description: flutter
    source: sdk
    version: "0.0.0"

EDIT

And yes, all of those examples are captured as version 0.0.0 in the syft output.

@sgreg sgreg linked a pull request Jan 9, 2025 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good-first-issue Good for newcomers
Projects
OSS
Status: Ready
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: fetch Dart package versions from sdk entries sgreg/syft
2 participants
@kzantow @joaquinricci