Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) #2038

Closed
edonadei opened this issue Aug 17, 2023 · 1 comment · Fixed by #3257
Closed

Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) #2038

edonadei opened this issue Aug 17, 2023 · 1 comment · Fixed by #3257
Assignees
@wagoodman
Labels
bug Something isn't working ecosystem:go relating to the golang ecosystem
Milestone
Meet NTIA Minimum...

Comments

@edonadei
Copy link

edonadei commented Aug 17, 2023
edited
Loading

What happened:
In the case of scanning a Go project with a go.mod file with a replace statement, e.g. here. It supposed to recursively resolve to this file.

But it generates a sbom package without versionInfo. (Non-NTIA Compliant)

{
   "name": "../",
   "SPDXID": "SPDXRef-Package-go-module-..--dd9d9dcfff65b1c8",
   "downloadLocation": "NOASSERTION",
   "sourceInfo": "acquired package info from go module information: gopls/go.mod",
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:golang/..",
     "comment": ""
    }
   ]
  },

What you expected to happen:

The package refered here is already added

{
   "name": "golang.org/x/tools",
   "SPDXID": "SPDXRef-Package-go-module-golang.org-x-tools-1f460cef42bec5c6",
   "versionInfo": "v0.6.0",
   "downloadLocation": "NOASSERTION",
   "sourceInfo": "acquired package info from go module information: gopls/go.mod",
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:golang:x\\/tools:v0.6.0:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:golang/golang.org/x/tools@v0.6.0",
     "comment": ""
    }
   ]
  },

So I would expect that package "../" to not exist at all.

Steps to reproduce the issue:

git clone https://github.com/golang/tools.git
cd tools
syft .

Anything else we need to know?:
I used this checker to verify if the SBOM is compliant https://github.com/spdx/ntia-conformance-checker

Environment:

  • Output of syft version: v.0.77.0
  • OS (e.g: cat /etc/os-release or similar): Ubuntu
@edonadei edonadei added the bug Something isn't working label Aug 17, 2023
@wagoodman wagoodman mentioned this issue Mar 9, 2023
Open
@tgerla
Copy link
Contributor

tgerla commented Oct 12, 2023

Hey @edonadei, thanks for the report. I think we understand the problem well enough so we'll put it in our backlog for consideration. There is a caveat that if we are unable to determine the version at all, we will probably still have to create non-NTIA-compliant output because we just don't have any version to reference.

Implementation notes: we might need to implement a "replace" handler to figure out how to do the right thing in these cases.

@tgerla tgerla moved this to Backlog in OSS Oct 12, 2023
@kzantow kzantow mentioned this issue Mar 18, 2024
Open
@kzantow kzantow added the ecosystem:go relating to the golang ecosystem label Mar 18, 2024
@wagoodman wagoodman mentioned this issue Sep 19, 2024
Merged
@wagoodman wagoodman moved this from Backlog to In Progress in OSS Sep 19, 2024
@wagoodman wagoodman moved this from In Progress to In Review in OSS Sep 19, 2024
@wagoodman wagoodman self-assigned this Sep 19, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Sep 20, 2024
@BrewTestBot BrewTestBot mentioned this issue Sep 24, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@wagoodman wagoodman

Labels
bug Something isn't working ecosystem:go relating to the golang ecosystem
Projects
OSS
Archived in project
Milestone
Meet NTIA Minimum SBOM Requirements
Development

Successfully merging a pull request may close this issue.

Add compliance policy for empty name and version anchore/syft
4 participants
@tgerla @wagoodman @kzantow @edonadei