Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xeol fails if sbom.xml is missing some xml tags #344

Open
damian-wnukowski-worldline opened this issue May 10, 2024 · 0 comments
Open

xeol fails if sbom.xml is missing some xml tags #344

damian-wnukowski-worldline opened this issue May 10, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@damian-wnukowski-worldline
Copy link

What happened:
I have a sbom.xml generated by checkov library and it's missing <components> xml tag.
This command fails with such sbom.xml:

xeol --fail-on-eol-found --lookahead 1m sbom.xml -vv
[0000]  INFO xeol version: 0.9.15
[0000] DEBUG config:
  log:
      quiet: false
      level: debug
      file: ""
  dev:
      profile: none
  output: []
  file: ""
  distro: ""
  check-for-app-update: true
  platform: ""
  search:
      scope: Squashed
      unindexed-archives: false
      indexed-archives: true
  db:
      cache-dir: /home/dwnukowski/.cache/xeol/db
      update-url: https://data.xeol.io/xeol/databases/listing.json
      ca-cert: ""
      auto-update: true
      validate-by-hash-on-start: false
      validate-age: true
      max-allowed-built-age: 120h0m0s
  lookahead: 1m
  fail-on-eol-found: true
  api-key: ""
  project-name: ""
  image-path: Dockerfile
  commit-hash: ""
  match:
      packages:
          using-purls: true
      distro:
          using-cpes: true
  registry:
      insecure-skip-tls-verify: false
      insecure-use-http: false
      auth: []
      ca-cert: ""
  name: ""
  default-image-pull-source: ""
[0000] DEBUG no new xeol update available
[0000] DEBUG gathering packages
[0000] DEBUG Fetching organization policies
[0000] DEBUG loading DB
[0000] DEBUG looking for updates on eol database
[0000] DEBUG checking for available database updates
[0000] DEBUG found database update candidate: Listing(url=https://data.xeol.io/xeol/databases/xeol-db_v1_2024-05-10T03:51:15.748131Z.tar.gz)
[0000] DEBUG existing database is already up to date
[0000] DEBUG no database update available
1 error occurred:
        * failed to catalog: unable to decode sbom: unable to identify format

even though sbom schema says it's optional, so the sbom should be valid and parsed properly:
https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.4.xsd#L369

What you expected to happen:
xeol not ending with decoding error when a valid sbom.xml is provided

How to reproduce it (as minimally and precisely as possible):
Use command specified above on this sbom file:

<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:5c6fb934-a145-4b58-b779-567374571b13"
     version="1">
    <metadata>
        <timestamp>2024-05-10T10:03:40.878180+00:00</timestamp>
        <tools>
            <tool>
                <vendor>CycloneDX</vendor>
                <name>cyclonedx-python-lib</name>
                <version>6.4.1</version>
                <externalReferences>
                    <reference type="build-system">
                        <url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
                    </reference>
                    <reference type="distribution">
                        <url>https://pypi.org/project/cyclonedx-python-lib/</url>
                    </reference>
                    <reference type="documentation">
                        <url>https://cyclonedx-python-library.readthedocs.io/</url>
                    </reference>
                    <reference type="issue-tracker">
                        <url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
                    </reference>
                    <reference type="license">
                        <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
                    </reference>
                    <reference type="release-notes">
                        <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
                    </reference>
                    <reference type="vcs">
                        <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
                    </reference>
                    <reference type="website">
                        <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
                    </reference>
                </externalReferences>
            </tool>
            <tool>
                <vendor>bridgecrew</vendor>
                <name>checkov</name>
                <version>UNKNOWN</version>
                <externalReferences>
                    <reference type="build-system">
                        <url>https://github.com/bridgecrewio/checkov/actions</url>
                    </reference>
                    <reference type="distribution">
                        <url>https://pypi.org/project/checkov/</url>
                    </reference>
                    <reference type="documentation">
                        <url>https://www.checkov.io/1.Welcome/What%20is%20Checkov.html</url>
                    </reference>
                    <reference type="issue-tracker">
                        <url>https://github.com/bridgecrewio/checkov/issues</url>
                    </reference>
                    <reference type="license">
                        <url>https://github.com/bridgecrewio/checkov/blob/master/LICENSE</url>
                    </reference>
                    <reference type="social">
                        <url>https://twitter.com/bridgecrewio</url>
                    </reference>
                    <reference type="vcs">
                        <url>https://github.com/bridgecrewio/checkov</url>
                    </reference>
                    <reference type="website">
                        <url>https://www.checkov.io/</url>
                    </reference>
                </externalReferences>
            </tool>
        </tools>
    </metadata>
</bom>

Anything else we need to know?:
That's all I think.
Environment:

  • Output of xeol version: 0.9.15
  • OS (e.g: cat /etc/os-release or similar): Fedora running on WSL:
cat /etc/os-release
NAME="Fedora Linux"
VERSION="39 (Container Image)"
ID=fedora
VERSION_ID=39
VERSION_CODENAME=""
PLATFORM_ID="platform:f39"
PRETTY_NAME="Fedora Linux 39 (Container Image)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:39"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=39
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=39
SUPPORT_END=2024-11-12
VARIANT="Container Image"
VARIANT_ID=container
@damian-wnukowski-worldline damian-wnukowski-worldline added the bug Something isn't working label May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@damian-wnukowski-worldline