Add metadata properties to CycloneDX #717
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently syft seems to generate invalid CPEs which do not conform with the official CPE spec. This is because the underlying nvdtools library is not a completely spec compliant implementation and has some interesting bugs/issues. The following are the list of issues I have encountered with nvdtools: 1. It parses strings which are not CPEs incorrectly as valid CPEs. This messes up our filter function which is supposed to filter out any incorrect CPEs we generate. In order to fix this, I have introduced a new regex in the NewCPE function which follows the upstream spec and filters out any incorrect CPEs. 2. Introduce wfn.WFNize for any cpe attributes we infer from packages. This ensures that we are escaping and quoting any special characters before putting them into CPEs. Note that nvdtools has yet another bug in the WFNize function, specifically the "addSlashesAt" part of the function which stops the loop as soon as it encounters ":" a valid character for a WFN attribute after quoting, but the way nvdtools handles it causes it to truncate strings that container ":". As a result strings like "prefix:1.2" which would have been quoted as "prefix\:1.2" end up becoming "prefix" instead causing loss of information and incorrect CPEs being generated. As a result in such cases, we remove out strings containing ":" in any part entirely for now. This is similar to the way we were handling CPE filtering in the past with http urls as vendor strings 3. Add special handling for version which contain ":" due to epochs in debian and rpm. In this case, we strip out the parts before ":" i.e. the epoch and only output the actual function. This ensures we are not discarding valid version strings due to pt #.2. In the future we should look at moving to a more spec compliant cpe parsing library to avoid such shenanigans. Signed-off-by: Sambhav Kothari <[email protected]>
WFNize seems to not be part of the standard as per https://pkg.go.dev/github.com/facebookincubator/[email protected]/wfn#WFNize and seems to have bugs/issues with encode/decode cycles, so I am just removing it at this point and relying on the CPE regex to filter out invalid CPEs for now. Signed-off-by: Sambhav Kothari <[email protected]>
Signed-off-by: Sambhav Kothari <[email protected]>
This commit dramatically improves the information we add in the cyclonedx output - It adds - * CPEs * Authors * Publishers * External References (Website, Distribution, VCS) * Description Signed-off-by: Sambhav Kothari <[email protected]>
4ee4600 to
5d38316
Compare
This commit adds arbitrary properties from the syft metadata to CycloneDX. This builds on top of the previous work on enriching the cyclonedx output. Creating a separate PR for this work as this might be a point of contention whether we want to add these properties or not or the way the properties are currently extracted using struct tags. Signed-off-by: Sambhav Kothari <[email protected]>
5d38316 to
477ec73
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Depends on #710
This commit adds arbitrary properties from the syft metadata to
CycloneDX. This builds on top of the previous work on enriching
the cyclonedx output. Creating a separate PR for this work as this
might be a point of contention whether we want to add these properties
or not or the way the properties are currently extracted using struct
tags.
NOTE: Diff to look at sambhav/syft-1@enrich-cdx...enrich-cdx-props
This allows us to use struct tags to add cyclonedx property values. It works in the follow way -
If it detects an explicit
cyclonedxstruct tag and it will use the value of that tag as the name for the property.It stringifies the value of the struct field to get the prop value since cyclonedx props are strings only.
If the cyclonedx struct tag is not added or if the stringified value is empty, the prop is not added.