Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Swift Package Manager Package.resolved schema version 3 #2759

Open
maxgip opened this issue Apr 8, 2024 · 2 comments
Open

Support Swift Package Manager Package.resolved schema version 3 #2759

maxgip opened this issue Apr 8, 2024 · 2 comments
Labels
enhancement New feature or request good-first-issue Good for newcomers

Comments

@maxgip
Copy link

maxgip commented Apr 8, 2024
edited

What happened:

When running syft against a project using Swift Package Manager and a version 3 Package.resolved file, an error occured (error=unknown swift package manager version, 3.000000 location=/Package.resolved) and the sbom output was incomplete:

swift-embedded-examples(main*)$ syft scan ./stm32-neopixel -o cyclonedx-json=sbom.json
 ✔ Indexed file system                                                                                                                                  stm32-neopixel
 ✔ Cataloged contents                                                                                 6ba85f929a0d558c5687b1245352e16c6ee8aa429acbdff263954992966a54e8
   ├── ✔ Packages                        [0 packages]
   └── ✔ Executables                     [0 executables]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000]  WARN cataloger failed cataloger=swift-package-manager-cataloger error=unknown swift package manager version, 3.000000 location=/Package.resolved
swift-embedded-examples(main*)$ cat sbom.json | jq
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:75f909ea-e5a5-49d9-9e9e-73bb23a611a7",
{
  "version": 1,
  "metadata": {
    "timestamp": "2024-04-08T10:23:55-04:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "1.1.1"
        }
      ]
    },
    "component": {
      "bom-ref": "06497d32a1d71b4c",
      "type": "file",
      "name": "./stm32-neopixel"
    }
  }
}

What you expected to happen:

No error, and syft to output similar to how it does for version 2 schemas:

swift-embedded-examples(main*)$ sed -i '' 's/"version" : 3/"version" : 2/g' ./stm32-neopixel/Package.resolved
swift-embedded-examples(main*)$ cat sbom.json | jq
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:9425d61f-4b4c-47c5-a89c-10931bd6a394",
  "version": 1,
  "metadata": {
    "timestamp": "2024-04-08T12:39:05-04:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "1.1.1"
        }
      ]
    },
    "component": {
      "bom-ref": "06497d32a1d71b4c",
      "type": "file",
      "name": "./stm32-neopixel"
    }
  },
  "components": [
    {
      "bom-ref": "bb99f90ca71781af",
      "type": "library",
      "name": "swift-mmio",
      "cpe": "cpe:2.3:a:swift-mmio:swift-mmio:*:*:*:*:*:*:*:*",
      "purl": "pkg:swift/github.com/apple/swift-mmio/swift-mmio",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "swift-package-manager-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "swift"
        },
        {
          "name": "syft:package:type",
          "value": "swift"
        },
        {
          "name": "syft:package:metadataType",
          "value": "swift-package-manager-lock-entry"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift-mmio:swift_mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift_mmio:swift-mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift_mmio:swift_mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift:swift-mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift:swift_mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/Package.resolved"
        }
      ]
    },
    {
      "bom-ref": "pkg:swift/github.com/apple/swift-syntax.git/swift-syntax@509.1.1?package-id=5acf2719119adbdb",
      "type": "library",
      "name": "swift-syntax",
      "version": "509.1.1",
      "cpe": "cpe:2.3:a:swift-syntax:swift-syntax:509.1.1:*:*:*:*:*:*:*",
      "purl": "pkg:swift/github.com/apple/swift-syntax.git/swift-syntax@509.1.1",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "swift-package-manager-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "swift"
        },
        {
          "name": "syft:package:type",
          "value": "swift"
        },
        {
          "name": "syft:package:metadataType",
          "value": "swift-package-manager-lock-entry"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift-syntax:swift_syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift_syntax:swift-syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift_syntax:swift_syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift:swift-syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift:swift_syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/Package.resolved"
        }
      ]
    }
  ]
}

Steps to reproduce the issue:

From a repo using SPM and Package.resolved version 3 (I used stm32-neopixel folder in https://github.com/apple/swift-embedded-examples), run syft:

git clone https://github.com/apple/swift-embedded-examples.git
cd swift-embedded-examples
syft scan ./stm32-neopixel -o cyclonedx-json=sbom.json

Anything else we need to know?:

The V3 schema looks like a superset of V2, just has an additional (optional) originHash key:

https://github.com/apple/swift-package-manager/blob/f4ab9a43f3cfbb8f184043435f925b67b0070f36/Sources/PackageGraph/PinsStore.swift#L386-L484

Environment:

  • Output of syft version:

    $ syft version
Application: syft
Version:    1.1.1
BuildDate:  2024-04-04T14:52:45Z
GitCommit:  1e31356c49bf2c30fd80c833482e1fbe4133ff83
GitDescription: v1.1.1
Platform:   darwin/arm64
GoVersion:  go1.21.8
Compiler:   gc

  • OS (e.g: cat /etc/os-release or similar):

    $ sw_vers
ProductName:		macOS
ProductVersion:		14.4.1
BuildVersion:		23E224
@maxgip maxgip added the bug Something isn't working label Apr 8, 2024
@tgerla tgerla added enhancement New feature or request and removed bug Something isn't working labels Apr 25, 2024
@kzantow
Copy link
Contributor

kzantow commented Apr 25, 2024

Here's an example file from that repository: https://github.com/apple/swift-embedded-examples/blob/main/stm32-neopixel/Package.resolved

@tgerla
Copy link
Contributor

tgerla commented Apr 25, 2024

Hi @maxgip, thanks for the report! We'll put this in the backlog for the future. If you're interested in working on it, please let us know and we can help get you started.

@tgerla tgerla added the good-first-issue Good for newcomers label Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good-first-issue Good for newcomers
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgerla @kzantow @maxgip