-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] CycloneDX ingestion failing #1148
Comments
Hey @javixeneize thanks for opening the issue. This fails as we do not currently support the ingestion of VEX in CycloneDX format. The CDX parser needs to be updated/created for this to work. This is definitely on the roadmap to add this support! Would you be interested to work on updating the parser or creating a new one to ingest this? Currently, we have an csaf parser for vex. |
Hi might want to help, but my skills in go are quite limited :( there’s no way this can be done in python, right? |
Ah, no worries! |
@javixeneize can you please help with steps to reproduce this issue? Tried to save the contents in a cdx.json file but seeing this error - |
i just downloaded the file and ran ./bin/guacone collect files vex.json, the standard ingestion step |
in the meantime, @pxp928 i have written in python a small tool that reads the cyclonedx format and ingests in neo4j with all the relations etc... If this is something you think that would fit in guac, happy to contribute here. I dont want to overload the market with yet another different tool that does pretty much the same as yours 😆 |
Hey @javixeneize , for now we are taking in collector projects (since they run as a binary), but if your tool can produce an output which is the GUAC gql statements, we could definitely mention it in the "friends of GUAC" in our repo! Otherwise, it would be super awesome to also get CDX vex supported here, we are definitely looking towards adding that + openvex as well. |
hi. i dont know whats the expected format but i can adapt it. where can i find information about it? |
@pxp928 @javixeneize If no one else is working on this, I would like to take this up? |
im not part of guac, but based on what i have read i assume they are looking for support, so should be fine :) |
Thanks @javixeneize not sure why it isn't working for me currently, will investigate. Was planning to pick this up hence needed clarifications around the steps to reproduce it - @nathannaveen if that's okay with you? Update - able to replicate the issue after I downloaded the file directly rather than copying the contents of it. |
@stevemenezes Of course |
Hi I just released the tool to visualise cyclonedx with neo4j - https://github.com/javixeneize/neo4cyclone, just in case this fits in "friends of guac" or even if it contains anything that you think that would fit in guac Thanks |
This PR adds a parser for cyclonedx vex boms #1181 however it could be that a CDX file could be both - an SBOM and a VEX file. Hence, we are planning to start with the CDX SBOM parser and call CDX VEX if needed from the CDX SBOM parser. This would be addressed in a followup PR, we can keep this issue open in the meantime. |
Thanks @javixeneize! This is great work! Let us know if you are interested in adapting your tool to generate GUAC gql statements (ingest packages, dependencies, and vulnerability) and we can help as needed :) |
it would be good, yes. where could i find doc about that? maybe if not generating the ingestion, at least the visualisation and rendering from the data ingested |
So we have a lot of information about the guac ontology, their definitions, and the actual graphQL API definitions which are used to communicate with GUAC. These would be a good place to start. |
Hi
I am trying to ingest this sbom, https://raw.githubusercontent.com/CycloneDX/bom-examples/master/VEX/vex.json, which is an example from CycloneDX.
It identifies the format correctly, but during the ingestion it throws a sigsegv error
"level":"info","ts":1692024531.816571,"caller":"cmd/files.go:198","msg":"collector ended gracefully"}
file:///sbom2.json
{"level":"info","ts":1692024531.817419,"caller":"parser/parser.go:129","msg":"parsing document tree with root type: CycloneDX"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x20 pc=0x105d05940]
goroutine 15 [running]:
github.com/guacsec/guac/pkg/ingestor/parser/cyclonedx.(*cyclonedxParser).getTopLevelPackage(0x14000276b40?, 0x0?)
/Users/javi/Downloads/guac/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go:77 +0x20
github.com/guacsec/guac/pkg/ingestor/parser/cyclonedx.(*cyclonedxParser).Parse(0x1400077a960, {0x1400029fd40?, 0x105db965d?}, 0x9?)
/Users/javi/Downloads/guac/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go:61 +0xc8
github.com/guacsec/guac/pkg/ingestor/parser.parseHelper({0x106575688, 0x1400003b740}, 0x14000276b40)
/Users/javi/Downloads/guac/pkg/ingestor/parser/parser.go:189 +0x80
github.com/guacsec/guac/pkg/ingestor/parser.(*docTreeBuilder).parse(0x1400076ba10, {0x106575688, 0x1400003b740}, 0x140000dad40, 0x1400076b9d0?)
/Users/javi/Downloads/guac/pkg/ingestor/parser/parser.go:160 +0x48
github.com/guacsec/guac/pkg/ingestor/parser.ParseDocumentTree({0x106575688, 0x1400003b740}, 0x140000dad40)
/Users/javi/Downloads/guac/pkg/ingestor/parser/parser.go:130 +0x104
github.com/guacsec/guac/cmd/guacone/cmd.getIngestor.func1(0x106567980?)
/Users/javi/Downloads/guac/cmd/guacone/cmd/files.go:255 +0x2c
github.com/guacsec/guac/cmd/guacone/cmd.glob..func5.1.1()
/Users/javi/Downloads/guac/cmd/guacone/cmd/files.go:169 +0x25c
golang.org/x/sync/errgroup.(*Group).Go.func1()
/Users/javi/go/pkg/mod/golang.org/x/sync@v0.3.0/errgroup/errgroup.go:75 +0x5c
created by golang.org/x/sync/errgroup.(*Group).Go
/Users/javi/go/pkg/mod/golang.org/x/sync@v0.3.0/errgroup/errgroup.go:72 +0xa4
The text was updated successfully, but these errors were encountered: