Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: swap custom cyclone-dx model for cyclone-dx library #1038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 29 commits into from
Dec 22, 2022
Merged

feat: swap custom cyclone-dx model for cyclone-dx library #1038

merged 29 commits into from
Dec 22, 2022

Conversation

@spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Dec 13, 2022
edited
Loading

Summary

Grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities.

For more context on why this is an issue see:
Fixes #796
Fixes #951

Testing note: image-simple was unused under the cyclone-dx test-fixures so was removed in favor of the snapshot presenter testing.

Breaking Changes

  • Grype no longer makes a distinction between cyclonedx-schema and the cyclonedx-vex-schema. See here for schema definitions that only make a distinction between the json and xml schema.
  • Given the above, format options for grype have been simplified. Grype now does cyclonedx and cyclonedx-xml. The options for embedded-cyclonedx-vex-json and embedded-cyclonedx-vex-xml have been removed.
  • Grype no longer outputs CYCLONE-DX 1.2. Vulnerabilities are no longer nested under components as a consequence of this change.
  • Updated schema definitions have been added to schema/cyclonedx/. These have been sourced from the above schema link

Comparison chart:

OLD									New
embedded-cyclonedx-vex-json ---> 	cyclonedx
embedded-cyclonedx-vex-xml--->		cyclonedx-xml

Format changes
cyclonedx				  ----> 	now outputs 1.4 json ---- was 1.2 XML

To consider

Take a look at the two following outputs. The version of grype is 0.54.0

grype -o embedded-cyclonedx-vex-json alpine:latest > vuln_old.json

This command uses this branch:

go run main.go -o cyclonedx alpine:latest > vuln.json

The above commands should both output cyclonedx-1.4-json documents:

Note: in the above example we're seeing binary cataloger overlaps with package cataloger matching so that's probably a PR we want in separately before the next release so we can match on the correct package.

Notice how alpine shows 1.35.0-r29 vs binary cataloger which is showing 1.35.0, the latter of which is vulnerable.

Highlights from the above output comparrisons

  • Metadata component now has a bomref
  • component data contains expanded set of fields including but not limited to publisher, description, properties, and references
  • Vulnerabilities now come with a bom ref field
  • Vulnerabilities now come with a reference field
  • Empty analysis and properties fields have been dropped

Signed-off-by: Christopher Phillips [email protected]

@spiffcs
feat: rip out old self made bom
7a2a357 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
wip
f6bd534 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
feat: update vulnerability model to cdx library
c09617c 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
refactor: carry sbom through presenter execution
9514327 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
feat: add stubs back for cyclonedx presenters
b7c52af 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
feat: presenter appends vulnerabilities
b747021 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs changed the title feat: rip out old self made bom feat: swap custom cyclone-dx model for cyclone-dx library Dec 13, 2022
@spiffcs
chore: clear up flag issue with multiple cyclonedx format
cb3116e 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
Merge branch 'main' into upgrade-cyclonedx
dbee164 
* main:
  chore: add GitLab Community Edition image to quality gate (#1035)
  Update Syft to v0.63.0 (#1037)
  fix: Exclude binary packages that have overlap by file ownership relationship (#1024)
  docs: update quality gate docs (#1032)
  Optionally orient results by CVE (#1020)

Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
chore: merge conflict leftover
ff49d9a 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
tests: update tests to compile and fail
a7ac95d 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
chore: static-analysis fixes
efad935 
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs added 14 commits December 21, 2022 11:17
@spiffcs
update golden image and unit test coverage
7b367aa 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
test: update cyclonedx schema validation 1.4
8ebf2cf 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
fix: remove deprecated document file
31d7c4e 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
fix: static analysis changes
46ccba6 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
fix: README update
b51d0d4 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
fix: sbom usage clarity
54776a1 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
fix: consistently pass matches by value
029434f 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
fix: typos and comment consistency
f9b79ad 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
test: test updates
828197a 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
test: revert presenter test back to previous state
d4deb5c 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
test: revert to xml format for snapshot
6a98ac8 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
test: get fixtures closer to older versions
80a0a0f 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
fix: update ref model for SBOM componenets => vuln
58d7d82 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
test: update snapshot metadata
862e308 
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs
spiffcs commented Dec 21, 2022
View reviewed changes
@spiffcs spiffcs marked this pull request as ready for review December 21, 2022 20:24
kzantow
kzantow approved these changes Dec 21, 2022
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 and the MEGA-⚓ of the day for -5k LoC!

grype/presenter/cyclonedx/presenter.go
Comment on lines +32 to +36
results: pb.Matches,
packages: pb.Packages,
metadataProvider: pb.MetadataProvider,
srcMetadata: pb.Context.Source,
sbom: pb.SBOM,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: if we're going to use a PresenterBundle should the formats just have a reference to it instead of copying all/most of the properties individually? (same comment for all presenters, which might just reduce a bit of code)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made a note to refactor this in its own separate PR so it's clear that this is an optimization and not part of the general upgrade to the syft library.

@spiffcs
Copy link
Contributor Author

spiffcs commented Dec 21, 2022

@wagoodman do you want me to invert the new output options here?

cyclonedx --> returns xml
cyclonedx-json --> returns json <-- New json option

Should we keep the embedded-xx options and deprecate them?

wagoodman
wagoodman reviewed Dec 22, 2022
View reviewed changes
wagoodman
wagoodman reviewed Dec 22, 2022
View reviewed changes
@spiffcs
fix: deprecation warnings and api updates
75595dc 
Signed-off-by: Christopher Phillips <[email protected]>
wagoodman
wagoodman reviewed Dec 22, 2022
View reviewed changes
@spiffcs
fix: api changes for makefile
db599cc 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs enabled auto-merge (squash) December 22, 2022 15:30
This was referenced Dec 22, 2022
Closed
Closed
@spiffcs spiffcs merged commit a62a3a4 into main Dec 22, 2022
@spiffcs spiffcs deleted the upgrade-cyclonedx branch December 22, 2022 16:35
spiffcs added a commit to willyw0nka/grype that referenced this pull request Jan 24, 2023
@spiffcs
Merge branch 'main' into feature/grype-update
fc34c3f 
* main: (56 commits)
  fix: always include severity in cyclonedx output (anchore#1067)
  Update Syft to v0.68.0 (anchore#1064)
  Add protobuf FPs to default ignore list (anchore#1062)
  chore: update Syft to v0.66.2 (anchore#1060)
  Update grype bootstrap tools to latest versions. (anchore#1055)
  feat: allow grype db diff to specify local db directories (anchore#1058)
  chore: claim artifacthub package ownership from developer-guy (anchore#661)
  chore: add github token to quality tests (anchore#1056)
  chore: update yardstick to diagnose intermittent failures (anchore#1054)
  Update grype bootstrap tools to latest versions. (anchore#1048)
  fix: sort vulnerability results (anchore#1052)
  Adding internal/file/hasher test cases (anchore#1049)
  fix: orient by cve merging (anchore#1046)
  Update Syft to v0.64.0 (anchore#1047)
  fix: update removing results based on ownership-by-file-overlap (anchore#1045)
  feat: swap custom cyclone-dx model for cyclone-dx library (anchore#1038)
  chore: add GitLab Community Edition image to quality gate (anchore#1035)
  Update Syft to v0.63.0 (anchore#1037)
  fix: Exclude binary packages that have overlap by file ownership relationship (anchore#1024)
  docs: update quality gate docs (anchore#1032)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman left review comments

@kzantow kzantow kzantow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

4 participants

@spiffcs @wagoodman @kzantow