New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: sbom scan can't detect two versions of the same package #4058
Comments
Sounds like a bug to me; it should display both. |
I'll look into this one. |
We would like to add some points that were not fully explained. |
@kzaitsu @terriko I investigated on it and turns out this is a bug in lib4sbom library we use for our sbom operation, I investigate there too the exact thing that is causing this behaviour is this:
I'll file a issue there regarding this , btw i also checked same scernario with the cyclonedx format but its not a problem with that. but i think i am going to ping @anthonyharrison since he is the author of lib4sbom regarding this and ask can i work on it. |
@mastersans @terriko it is a bug but appears to be limited to SPDX SBOMs in JSON format only. |
Yes, but it may have been present in the yaml too since json and yaml both uses same _parse_spdx_data() function but should be fixed now too. |
We should probably wait to close this until @anthonyharrison gets a new release out and we bump our minimum version of lib4sbom up, just so we don't forget to do that. But thank you, I'm glad there's a fix! |
@terriko @mastersans @anthonyharrison |
I see the same problem when using CycloneDX output format as well, so it's either not limited to SPDX only as investigated previously, or that may be a format parser bug, I guess. Particularly, I'm scanning a Linux ELF file, which is compiled with one GCC version, but has other linked pieces, compiled by an older one. Specifically, here's what $ strings src/obj-intel64/CECTraceTool.so |grep GNU
GCC: (GNU) 11.2.0
GCC: (GNU) 13.2.1 20240316 (Red Hat 13.2.1-7) ...and 11.2.0 is the only one shown by This issue's name formally covers this case too (two versions, only one detected), but let me know if you want me to submit a separate one for this. |
First, I scanned a particular json file using the command below. This json file contains two versions of openssl (1.0.2u, 1.1.1f).
"cve-bin-tool --sbom spdx --sbom-file <directory/file.json> -f csv -o cve-bin-tool_sbomscan-squashfs-root-0_2"
The resulting csv file did not include openssl version 1.1.1f, only 1.0.2u.
Next, delete version 1.0.2u of openssl in the json file you used earlier and run the same command again, and this time version 1.1.1f, which was not displayed earlier, is now displayed in the csv file. (1.0.2u was not displayed)
I don't know why the above phenomenon occurs, so could you please explain to me?
The text was updated successfully, but these errors were encountered: