Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) #2039

Closed
edonadei opened this issue Aug 17, 2023 · 1 comment · Fixed by #3257
Closed

Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) #2039

edonadei opened this issue Aug 17, 2023 · 1 comment · Fixed by #3257
Assignees
@wagoodman
Labels
bug Something isn't working
Milestone
Meet NTIA Minimum...

Comments

@edonadei
Copy link

What happened:
When trying to scan a folder that contains a jar, Syft is creating a package of that jar without versionInfo.
An example can be found here: https://github.com/google/tink/tree/master/java_src/examples/android/helloworld/gradle/wrapper

It will generate an entry like this:

{
   "name": "gradle-wrapper",
   "SPDXID": "SPDXRef-Package-java-archive-gradle-wrapper-df62e5252291c51c",
   "downloadLocation": "NOASSERTION",
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "079675260ae4ff9d6bc0179c7ca1d1422af2a57c"
    }
   ],
   "sourceInfo": "acquired package info from installed java archive: java_src/examples/android/helloworld/gradle/wrapper/gradle-wrapper.jar",
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle-wrapper:gradle-wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle-wrapper:gradle_wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle_wrapper:gradle-wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle_wrapper:gradle_wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },

What you expected to happen:
I'm not sure what's the expected good answer here. When opening that Jar, there is no manifest to be scanned upon for Syft to get any additional metadata.

I suppose it would be either:

  • Not adding the jar as package as it does not give any factual information on any package
  • Failing the scan and noticing the user that the package does not has any metadata to be scanned?

Steps to reproduce the issue:

git clone https://github.com/google/tink.git
cd tink
syft .

Anything else we need to know?:
I used this checker to verify if the SBOM is compliant https://github.com/spdx/ntia-conformance-checker.

Environment:

  • Output of syft version: v.0.87.1
  • OS (e.g: cat /etc/os-release or similar): Ubuntu
@edonadei edonadei added the bug Something isn't working label Aug 17, 2023
@edonadei edonadei changed the title Scanning a folder with a jar archive creates a SPDX package without versionInfo (Non-NTIA compliant) Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) Aug 17, 2023
@wagoodman wagoodman mentioned this issue Oct 12, 2023
Open
@tgerla tgerla moved this to Backlog in OSS Oct 12, 2023
@tgerla
Copy link
Contributor

tgerla commented Oct 12, 2023

Hi @edonadei, thanks for the report. We're discussing this problem and we've come up with a couple of possible behaviors in these kinds of cases:

  • error out and refuse to create an NTIA-non-compliant SPDX entirely
  • make a file record instead of a package record if we can't determine the package version
  • create a package record but populate the version field with a special string that indicates "we don't know", which the user would then need to resolve manually.
  • we could also implement an "NTIA mode" in Syft that would produce an SBOM with placeholder values for the unknown fields required by NTIA

I think we have enough information to move forward on this, so we'll put this in backlog, but we would be glad to hear your feedback on these ideas and discuss them.

@wagoodman wagoodman mentioned this issue Sep 19, 2024
Merged
@wagoodman wagoodman self-assigned this Sep 19, 2024
@wagoodman wagoodman moved this from Backlog to In Review in OSS Sep 19, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Sep 20, 2024
@BrewTestBot BrewTestBot mentioned this issue Sep 24, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@wagoodman wagoodman

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
Meet NTIA Minimum SBOM Requirements
Development

Successfully merging a pull request may close this issue.

Add compliance policy for empty name and version anchore/syft
3 participants
@tgerla @wagoodman @edonadei