Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xeol unable to decode syft-json from versions of syft newer than v0.92 #346

Closed
bturner-cpacket opened this issue May 20, 2024 · 5 comments
Closed

xeol unable to decode syft-json from versions of syft newer than v0.92 #346

bturner-cpacket opened this issue May 20, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@bturner-cpacket
Copy link

What happened:
When running xeol over a syft generated json sbom from a version of Syft later than v0.92 you get this error:

% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
	* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

What you expected to happen:
When running xeol over a syft generated json sbom from a version of Syft v0.92 you do not receive this error:

% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary

How to reproduce it (as minimally and precisely as possible):

  1. install Syft version 0.92 - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . v0.92.0
  2. check your version - ./syft --version
ubuntu@ubuntu:~$ ./syft --version
syft 0.92.0
  1. Generate a json SBOM using Syft v0.92 -
./syft dir:/ -o json>./sbom/v0.92-syft-filesystem-image-sbom.json
  1. Run xeol against that sbom and verify it succeeds -
% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary
  1. install latest Syft version (currently v1.4.1) - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .
  2. check your version of syft - ./syft --version
ubuntu@ubuntu:~$ ./syft --version
syft 1.4.1
  1. Generate a json SBOM using Syft v1.4.1 -
./syft dir:/ -o json>./sbom/v1.4.1-syft-filesystem-image-sbom.json
  1. Run xeol against the sbom and verify failure -
% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
	* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

Anything else we need to know?:
I generated the SBOM's I tested against using Ubuntu 22.04 .ova from https://cloud-images.ubuntu.com/jammy/current/, however, I see this error when running across all our products. I would expect that simply updating the version of Syft from v.0.92 to something newer would solve this issue however I dont know if there are dependency versions for why its been held back on v0.92.

Environment:

  • Output of xeol version:
  • OS (e.g: cat /etc/os-release or similar):
% xeol version
Application:         xeol
Version:             0.9.15
BuildDate:           2024-04-27T01:08:08Z
GitCommit:           Homebrew
GitDescription:      Homebrew
Platform:            darwin/amd64
GoVersion:           go1.22.2
Compiler:            gc
Syft Version:        v0.92.0
Supported DB Schema: 1
@bturner-cpacket bturner-cpacket added the bug Something isn't working label May 20, 2024
@Lartsch
Copy link

Lartsch commented May 29, 2024

Any update on this?

@tomersein
Copy link

it seems to occurs because of the fork this library is based on...
replace github.com/anchore/syft => github.com/noqcks/syft v0.0.0-20240109150718-1b286b681098

@bturner-cpacket
Copy link
Author

That seems bad?

Why is this component dependent on go package from a fork of syft with no tags or releases instead of the official syft package?

@tomersein
Copy link

is this project still maintained?
it was a while since I saw a PR that was merged

@noqcks
Copy link
Collaborator

noqcks commented Aug 12, 2024
edited
Loading

we removed reliance on the forked version of syft in v0.10.0 of xeol, were now using the latest version of the official syft v1.10.0

the reason we were originally using the forked version is that we added a lot of capabilities around dotnet deps and were very impatient with the review length with syft. But definitely a bad practice and not something we plan to do again for xeol

sorry for taking so long to get around to this, my github notifications failed me

@noqcks noqcks closed this as completed Aug 12, 2024
@BrewTestBot BrewTestBot mentioned this issue Oct 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Lartsch @noqcks @tomersein @bturner-cpacket