Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM files for some artifacts are almost empty #488

Open
jpkrohling opened this issue Feb 28, 2024 · 8 comments
Open

SBOM files for some artifacts are almost empty #488

jpkrohling opened this issue Feb 28, 2024 · 8 comments
Assignees
@cpanato

Comments

@jpkrohling
Copy link
Member

We have SBOMs since v0.95.0, but some artifacts seem to be missing the actual contents of the package, like the one for otelcol-contrib_0.95.0_darwin_amd64.tar.gz.sbom:

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "otelcol-contrib_0.95.0_darwin_amd64.tar.gz",
  "documentNamespace": "https://anchore.com/syft/file/otelcol-contrib_0.95.0_darwin_amd64.tar.gz-2e3641ac-13d0-4b31-a9f2-025169cf944c",
  "creationInfo":
    {
      "licenseListVersion": "3.22",
      "creators": ["Organization: Anchore, Inc", "Tool: syft-0.103.1"],
      "created": "2024-02-21T16:25:34Z",
    },
  "packages":
    [
      {
        "name": "otelcol-contrib_0.95.0_darwin_amd64.tar.gz",
        "SPDXID": "SPDXRef-DocumentRoot-File-otelcol-contrib-0.95.0-darwin-amd64.tar.gz",
        "versionInfo": "sha256:d380af1301fd318be75af009543cb7abeb1aca8ce12dd25f60529085a7c6417f",
        "supplier": "NOASSERTION",
        "downloadLocation": "NOASSERTION",
        "filesAnalyzed": false,
        "checksums":
          [
            {
              "algorithm": "SHA256",
              "checksumValue": "d380af1301fd318be75af009543cb7abeb1aca8ce12dd25f60529085a7c6417f",
            },
          ],
        "primaryPackagePurpose": "FILE",
      },
    ],
  "relationships":
    [
      {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-DocumentRoot-File-otelcol-contrib-0.95.0-darwin-amd64.tar.gz",
        "relationshipType": "DESCRIBES",
      },
    ],
}

Some other entries, like otelcol_0.95.0_windows_amd64.tar.gz.sbom , seem to have an appropriate content, containing things like:

        {
            "name": "golang.org/x/oauth2",
            "SPDXID": "SPDXRef-Package-go-module-golang.org-x-oauth2-80fd63a362642b94",
            "versionInfo": "v0.16.0",
            "supplier": "NOASSERTION",
            "downloadLocation": "NOASSERTION",
            "filesAnalyzed": false,
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "683906301498c4495aa0ff35369a14a33da8a36476c07759a464e85317f242b4"
                }
            ],
            "sourceInfo": "acquired package info from go module information: otelcol.exe",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION",
            "copyrightText": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:golang:x\\/oauth2:v0.16.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:golang/golang.org/x/oauth2@v0.16.0"
                }
            ]
        },

We need to investigate what's the difference, and how we can get the packages to be like the SBOMs for Windows.
@jpkrohling
Copy link
Member Author

@cpanato, do you have an idea on what's going on?

@cartersocha, this is the issue we talked about during the SIG Security call.

@cpanato
Copy link
Contributor

cpanato commented Feb 29, 2024

hum looks like it is doing working well with the .tar.gz, i think that is better only with the binary, i can change that

@cpanato
Copy link
Contributor

cpanato commented Apr 12, 2024

seems we need to pass some config options

run locally (with the correct version now)

 syft scan otelcol-contrib_0.98.0_darwin_amd64.tar.gz -o spdx-json                                                                                                                                                                                                                                                                                                                                                                                                                                         ✔ Indexed file system                                                                                                                                                                                                                                                                                                                                                                                          /private/var/folders/kl/q9mydw095ln5s7wj971qcrx40000gn/T/syft-archive-contents-177865781   ✔ Cataloged contents                                                                                                                                                                                                                                                                                                                                                                                                                   f2d873bf5f6127ce965934c5ee10665f83195ae3264690a496e63b895f996567     ├── ✔ Packages                        [675 packages]                                                                                                                                                                                                                                                                                                                                                                                                                                                      └── ✔ Executables                     [1 executables]
{"spdxVersion":"SPDX-2.3","dataLicense":"CC0-1.0","SPDXID":"SPDXRef-DOCUMENT","name":"otelcol-contrib_0.98.0_darwin_amd64.tar.gz","documentNamespace":"https://anchore.com/syft/file/otelcol-contrib_0.98.0_darwin_amd64.tar.gz-0605e1c6-a055-45ad-bb22-611d8ad283b8","creationInfo":{"licenseListVersion":"3.23","creators":["Organization: Anchore, Inc","Tool: syft-1.1.1"],"created":"2024-04-12T08:27:15Z"},"packages":[{"name":"bitbucket.org/atlassian/go-asap/v2","SPDXID":"SPDXRef-Package-go-mod
ule-bitbucket.org-atlassian-go-asap-v2-249ebae86b40f5df","versionInfo":"v2.8.0","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"checksums":[{"algorithm":"SHA256","checksumValue":"24be2392dad94f71fc187924789d5109d849e5870ec9571c03fd9327869edc8d"}],"sourceInfo":"acquired package info from go module information: otelcol-contrib","licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategor
y":"SECURITY","referenceType":"cpe23Type","referenceLocator":"cpe:2.3:a:atlassian:go-asap\\/v2:v2.8.0:*:*:*:*:*:*:*"},{"referenceCategory":"SECURITY","referenceType":"cpe23Type","referenceLocator":"cpe:2.3:a:atlassian:go_asap\\/v2:v2.8.0:*:*:*:*:*:*:*"},{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:golang/bitbucket.org/atlassian/go-asap@v2.8.0#v2"}]},{"name":"cloud.google.com/go","SPDXID":"SPDXRef-Package-go-module-cloud.google.com-go-c5a7793790f
1ea74","versionInfo":"v0.112.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"checksums":[{"algorithm":"SHA256","checksumValue":"65a193e8b886edd0738baccd3af559c1a71a5e599fde546a9c2e03433ab2450c"}],"sourceInfo":"acquired package info from go module information: otelcol-contrib","licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","ref
erenceLocator":"pkg:golang/cloud.google.com/go@v0.112.2"}]},{"name":"cloud.google.com/go/compute/metadata","SPDXID":"SPDXRef-Package-go-module-cloud.google.com-go-compute-metadata-e4175b7b6cf1e683","versionInfo":"v0.2.4-0.20230617002413-005d2dfb6b68","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"checksums":[{"algorithm":"SHA256","checksumValue":"69156a635a76209681192b5632c40ca6401af3770f9020cb97cd1e3a3d116f3e"}],"sourceInfo":"acquired package info fro
m go module information: otelcol-contrib","licenseConc
...

@cpanato
Copy link
Contributor

cpanato commented Apr 12, 2024

i run the gorelease locally and the sboms was created with data

@cpanato
Copy link
Contributor

cpanato commented Apr 12, 2024

we need to make sure we have the latest syft, checking that

@cpanato
Copy link
Contributor

cpanato commented Apr 12, 2024
edited
Loading

seems ok

was able to reproduce the issue with syft v1.1.0 with v1.1.1 was ok

@cpanato
Copy link
Contributor

cpanato commented Apr 12, 2024

we need to wait for anchore/sbom-action#456

@jpkrohling
Copy link
Member Author

Thank you for the investigation!

@dosubot dosubot bot added the stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed label Jul 16, 2024
@dosubot dosubot bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 23, 2024
@dosubot dosubot bot removed the stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed label Jul 23, 2024
@mx-psi mx-psi reopened this Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpanato cpanato

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jpkrohling @cpanato @mx-psi