Improve CycloneDX format output #710
Conversation
|
cc: @VinodAnandan, @coderpatros from CycloneDX team |
|
Thank you @samj1912 !! |
|
I am facing an issue with CPE binding strings that are generated by https://github.com/facebookincubator/nvdtools It looks like it doesn't match the spec. See eg. at https://regexr.com/6c0et EDIT - on further investigation, it looks like some of the CPEs we generate have versions of form EDIT 2 - On further investigation, it looks like the cause is packages like https://packages.ubuntu.com/search?keywords=zlib1g which contain a Edit 3 - TIL that the colon indicates an epoch for debian packages - https://askubuntu.com/questions/441879/why-do-some-packages-have-extra-numbers-before-a-colon-on-the-front-of-their-ver Looks like we might want to handle CPE generation for packages with epochs separately. |
|
Created issue #712 - will fix it in a different PR |
3784b67 to
b7d8142
Compare
|
Note on the commit that adds metadata props - |
18aeca3 to
ea4302e
Compare
761bf00 to
312b78c
Compare
internal/formats/cyclonedx13json/test-fixtures/snapshot/TestCycloneDxDirectoryPresenter.golden
Outdated
Show resolved
Hide resolved
|
Now that the CPE changes have been merged it looks like this one just has some conflicts @samj1912 |
|
Thanks so much for the huge lift on these two massive PR |
8bf0894 to
e11f60e
Compare
|
@wagoodman @spiffcs - made several improvements to the properties output. We now store metadatatype and also pkg.Type. We also store the distro information in the top level sbom metadata properties. I believe this should result in all the information that grype may need to do vuln. matching with cyclonedx at this point. |
73c6311 to
d5a7909
Compare
|
@wagoodman / @spiffcs if you could please take a look again that would be great :) |
|
Yep! Sorry for the delay here @samj1912. I've been looking into signing sbom at the moment. Next time I get to review PRS this is at the top of the stack. |
There was a problem hiding this comment.
@samj1912 the PR is just about there! My only blocking comment is this one: https://github.com/anchore/syft/pull/710/files#r784914277 .
There was a problem hiding this comment.
Viewed the rest of the file and LGTM. The only blocking comment here is what Alex had mentioned regarding including hashes from metadata files. I also agree with him that we should only be including hashes that we have explicitly read rather than pulling them from the metadata entries.
This commit dramatically improves the information we add in the cyclonedx output - It adds - * CPEs * Authors * Publishers * External References (Website, Distribution, VCS) * Description Signed-off-by: Sambhav Kothari <[email protected]>
This commit adds arbitrary properties from the syft metadata to CycloneDX. This builds on top of the previous work on enriching the cyclonedx output. Creating a separate PR for this work as this might be a point of contention whether we want to add these properties or not or the way the properties are currently extracted using struct tags. Signed-off-by: Sambhav Kothari <[email protected]>
Signed-off-by: Sambhav Kothari <[email protected]>
Signed-off-by: Sambhav Kothari <[email protected]>
Signed-off-by: Sambhav Kothari <[email protected]>
Signed-off-by: Sambhav Kothari <[email protected]>
|
@wagoodman / @spiffcs should be updated now :) |
|
Thanks @wagoodman! Is this good to merge? |
…hub.com/hectorj2f/syft into hectorj2f/add_dependencies_to_cyclonedx * 'hectorj2f/add_dependencies_to_cyclonedx' of https://github.com/hectorj2f/syft: (29 commits) Improve CycloneDX format output (#710) Add additional PHP metadata (#753) Update Syft formats for SyftJson (#752) Add support for "file" source type in syftjson unmarshaling (#750) remove contains file from spdx dependency generation support .sar for java ecosystem (#748) Start developer documentation (#746) Align SPDX export more with SPDX 2.2 specification (#743) Replace distro type (#742) update goreleaser with windows checksums (#740) bump stereoscope version to remove old containerd (#741) Add support for multiple output files in different formats (#732) Add support for searching for jars within archives (#734) 683 windows filepath (#735) Fix CPE encode/decode when it contains special chars (#714) support .par for java ecosystems (#727) Add arm64 support to install script (#729) Revert "bump goreleaser to v1.2 (#720)" (#731) Add a version flag (#722) Add lpkg as java package format (#694) ...
* Improve CycloneDX format output ## Additions to CycloneDX output * CPEs * Authors * Publishers * External References (Website, Distribution, VCS) * Description Signed-off-by: Sambhav Kothari <[email protected]> Signed-off-by: fsl <[email protected]>
* Improve CycloneDX format output * CPEs * Authors * Publishers * External References (Website, Distribution, VCS) * Description Signed-off-by: Sambhav Kothari <[email protected]>
* Improve CycloneDX format output * CPEs * Authors * Publishers * External References (Website, Distribution, VCS) * Description Signed-off-by: Sambhav Kothari <[email protected]>
* Improve CycloneDX format output ## Additions to CycloneDX output * CPEs * Authors * Publishers * External References (Website, Distribution, VCS) * Description Signed-off-by: Sambhav Kothari <[email protected]>
* Improve CycloneDX format output ## Additions to CycloneDX output * CPEs * Authors * Publishers * External References (Website, Distribution, VCS) * Description Signed-off-by: Sambhav Kothari <[email protected]>
This commit dramatically improves the information we add in the
cyclonedx output -
It adds -
Signed-off-by: Sambhav Kothari [email protected]
Note: This organizes the cyclonedx helpers in a structure similar to the SPDX helpers to better organize formatting code.
Fixes #268
Partially Fixes #154
Partially Fixes #632
Depends on #714