Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Validation of Syft/Grype SBOM #339

Open
pkiesslingsonatype opened this issue Sep 12, 2023 · 5 comments
Open

False Validation of Syft/Grype SBOM #339

pkiesslingsonatype opened this issue Sep 12, 2023 · 5 comments

Comments

@pkiesslingsonatype
Copy link

I created an SBOM using Syft/Grype and it should have created a valid CycloneDX 1.4 SBOM. The SBOM did not adhere to the CycloneDX 1.4 schema, however the CycloneDX CLI validated it successfully regardless.

To reproduce:

https://github.com/anchore/syft
https://github.com/anchore/grype

syft nodered/node-red -o cyclonedx-xml --file bom.xml
grype sbom:bom.xml -o cyclonedx --file grype-bom.xml
cyclonedx validate --input-file grype-bom.xml

Result: Validated successfully
Expected result: Not valid
@andreas-hilti
Copy link
Contributor

@pkiesslingsonatype Can you please specify how it violates the schema?
Maybe I missed the obvious... but it is a bit hard with a 19k lines document. (By now it produced a version 1.5 schema, but I'm not sure whether this matters.)
As a side note, all that the cli does at the moment is to validate the xml schema.

@spiffcs
Copy link

spiffcs commented Oct 30, 2023

Related local issue here: #344
Related syft issue where we did the investigation: anchore/syft#2268

For the images supplied we found that the schema should be updated with the latest SPDX license list.

@pkiesslingsonatype
Copy link
Author

@andreas-hilti It seems the URLs within the SBOM do not comply with the schema:

xmllint --noout --schema ~/Downloads/bom-1.4.xsd grype-bom.xml
grype-bom.xml:3612: element url: Schemas validity error : Element '{[http://cyclonedx.org/schema/bom/1.4}url](http://cyclonedx.org/schema/bom/1.4%7Durl)': '[email protected]:colorjs/color-name.git' is not a valid value of the atomic type 'xs:anyURI'.
grype-bom.xml:5946: element url: Schemas validity error : Element '{[http://cyclonedx.org/schema/bom/1.4}url](http://cyclonedx.org/schema/bom/1.4%7Durl)': '[email protected]:follow-redirects/follow-redirects.git' is not a valid value of the atomic type 'xs:anyURI'.
grype-bom.xml:8857: element url: Schemas validity error : Element '{[http://cyclonedx.org/schema/bom/1.4}url](http://cyclonedx.org/schema/bom/1.4%7Durl)': '[email protected]:jprichardson/node-jsonfile.git' is not a valid value of the atomic type 'xs:anyURI'.
grype-bom.xml:14669: element url: Schemas validity error : Element '{[http://cyclonedx.org/schema/bom/1.4}url](http://cyclonedx.org/schema/bom/1.4%7Durl)': '[email protected]:lupomontero/psl.git' is not a valid value of the atomic type 'xs:anyURI'.
grype-bom.xml fails to validate

I have attached the SBOM that is causing the issue.
Hopefully that helps.
grype-bom.xml.zip

@spiffcs
Copy link

spiffcs commented Oct 31, 2023

Oh! Thanks for the extra info @pkiesslingsonatype - I can probably get a fix in grype that updates those URL to be correct

@andreas-hilti
Copy link
Contributor

@pkiesslingsonatype When I produced the SBOM myself, it contained none of these "[email protected]" urls.

@spiffcs spiffcs mentioned this issue Nov 7, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spiffcs @andreas-hilti @pkiesslingsonatype