Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CycloneDX OS component does not have a bom-ref #2101

Closed
kzantow opened this issue Sep 6, 2023 · 2 comments · Fixed by #2634
Closed

CycloneDX OS component does not have a bom-ref #2101

kzantow opened this issue Sep 6, 2023 · 2 comments · Fixed by #2634
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@kzantow
Copy link
Contributor

kzantow commented Sep 6, 2023

What happened:
Running syft ubuntu:latest -o cyclonedx-json includes a component representing the operating system, but it does not include a bom-ref:

    {
      "type": "operating-system",
      "name": "ubuntu",
      "version": "22.04",
      "description": "Ubuntu 22.04.3 LTS",
      "swid": {
        "tagId": "ubuntu", 
        "name": "ubuntu",
        "version": "22.04"
      },
      "externalReferences": [
        { 
          "url": "https://bugs.launchpad.net/ubuntu/",
          "type": "issue-tracker"
        },
        {
          "url": "https://www.ubuntu.com/",
          "type": "website"
        },
        {
          "url": "https://help.ubuntu.com/",
          "comment": "support",
          "type": "other"
        },
        {
          "url": "https://www.ubuntu.com/legal/terms-and-policies/privacy-policy",
          "comment": "privacyPolicy",
          "type": "other"
        }
      ],
      "properties": [
        {
          "name": "syft:distro:id",
          "value": "ubuntu"
        },
        {
          "name": "syft:distro:idLike:0",
          "value": "debian"
        },
        {
          "name": "syft:distro:prettyName",
          "value": "Ubuntu 22.04.3 LTS"
        },
        {
          "name": "syft:distro:versionCodename",
          "value": "jammy"
        },
        {
          "name": "syft:distro:versionID",
          "value": "22.04"
        }
      ]
    }

What you expected to happen:
A bom-ref is set for the component.

Steps to reproduce the issue:
syft ubuntu:latest -o cyclonedx-json

Anything else we need to know?:

Environment:

  • Output of syft version:
    Application: syft
    Version: 0.89.0
    BuildDate: 2023-08-31T14:50:32Z
    GitCommit: Homebrew
    GitDescription: [not provided]
    Platform: darwin/amd64
    GoVersion: go1.21.0
    Compiler: gc
@kzantow kzantow added the bug Something isn't working label Sep 6, 2023
@kzantow
Copy link
Contributor Author

kzantow commented Sep 6, 2023
edited by wagoodman
Loading

This is probably the culprit:

syft/syft/format/common/cyclonedxhelpers/to_format_model.go

Lines 85 to 102 in 25ae7bf

return []cyclonedx.Component{
{
Type: cyclonedx.ComponentTypeOS,
// FIXME is it idiomatic to be using SWID here for specific name and version information?
SWID: &cyclonedx.SWID{
TagID: distro.ID,
Name: distro.ID,
Version: distro.VersionID,
},
Description: distro.PrettyName,
Name: distro.ID,
Version: distro.VersionID,
// TODO should we add a PURL?
CPE: formatCPE(distro.CPEName),
ExternalReferences: eRefs,
Properties: properties,
},
}

@wagoodman wagoodman added this to OSS Feb 7, 2024
@wagoodman wagoodman moved this to Ready in OSS Feb 7, 2024
@wagoodman
Copy link
Contributor

One question I have about this is what should the bom-ref value be? Options:

  • generic package URL: pkg:generic/ubuntu@22.04
  • simple string: ubuntu@22.04

The only requirements given in the CycloneDX spec: "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique."

The awkwardness with a PURL is that this component doesn't semantically represent a package, so a simple string is probably preferred here. Open to other suggestions

@kzantow kzantow self-assigned this Feb 13, 2024
@kzantow kzantow moved this from Ready to In Progress in OSS Feb 13, 2024
@kzantow kzantow mentioned this issue Feb 13, 2024
Merged
@wagoodman wagoodman moved this from In Progress to In Review in OSS Feb 13, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Feb 14, 2024
@BrewTestBot BrewTestBot mentioned this issue Feb 14, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add BOMRef to CycloneDX OS Component kzantow-anchore/syft
2 participants
@wagoodman @kzantow