Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure loading CycloneDX v1.5 and v1.6 #1230

Closed
ghsa-retrieval opened this issue May 15, 2024 · 5 comments
Closed

Failure loading CycloneDX v1.5 and v1.6 #1230

ghsa-retrieval opened this issue May 15, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@ghsa-retrieval
Copy link

Describe the bug
Using DejaCode's "Load Packages from SBOM" feature with ScanCode.io fails when using SBOMs generated by cdxgen in the CycloneDX v1.5 and v1.6 format. It appears that v1.4 is handled correctly. This problem could be related to #1171

Stack trace for sbom-1-5.cdx.json

Unexpected key lifecycles/lifecycles in data being serialized to cyclonedx.model.bom.BomMetaData

Traceback:
  File "/opt/scancodeio/scanpipe/pipelines/__init__.py", line 204, in execute
    step(self)
  File "/opt/scancodeio/scanpipe/pipelines/load_sbom.py", line 57, in get_packages_from_sboms
    self.packages = resolve.get_packages(
                    ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 70, in get_packages
    if packages := resolve_manifest_resources(resource, package_registry):
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 47, in resolve_manifest_resources
    packages = get_packages_from_manifest(resource.location, package_registry) or []
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 119, in get_packages_from_manifest
    resolved_packages = resolver(input_location=input_location)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/scanpipe/pipes/cyclonedx.py", line 252, in resolve_cyclonedx_packages
    cyclonedx_bom = Bom.from_json(data=cyclonedx_document)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/venv/lib/python3.12/site-packages/serializable/__init__.py", line 333, in from_json
    _data[k] = prop_info.concrete_type.from_json(data=v)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/venv/lib/python3.12/site-packages/serializable/__init__.py", line 301, in from_json
    raise ValueError(

Stack trace for sbom-1-6.cdx.json:

Unexpected key lifecycles/lifecycles in data being serialized to cyclonedx.model.bom.BomMetaData

Traceback:
  File "/opt/scancodeio/scanpipe/pipelines/__init__.py", line 204, in execute
    step(self)
  File "/opt/scancodeio/scanpipe/pipelines/load_sbom.py", line 57, in get_packages_from_sboms
    self.packages = resolve.get_packages(
                    ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 70, in get_packages
    if packages := resolve_manifest_resources(resource, package_registry):
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 47, in resolve_manifest_resources
    packages = get_packages_from_manifest(resource.location, package_registry) or []
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 119, in get_packages_from_manifest
    resolved_packages = resolver(input_location=input_location)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/scanpipe/pipes/cyclonedx.py", line 252, in resolve_cyclonedx_packages
    cyclonedx_bom = Bom.from_json(data=cyclonedx_document)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/venv/lib/python3.12/site-packages/serializable/__init__.py", line 333, in from_json
    _data[k] = prop_info.concrete_type.from_json(data=v)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/scancodeio/venv/lib/python3.12/site-packages/serializable/__init__.py", line 301, in from_json
    raise ValueError(

System configuration

To Reproduce
Steps to reproduce the behavior:

  1. Open ScanCode.io
  2. Click "New Project"
  3. Give the project a memorable name
  4. Select either the sbom-1-5.cdx.json or sbom-1-6.cdx.json file
  5. Set "Pipeline" to load_sbom

Expected behavior
The SBOM in CycloneDX v1.5 format should be properly imported.

Screenshots
Screenshot should not be needed.
@ghsa-retrieval ghsa-retrieval added the bug Something isn't working label May 15, 2024
@ghsa-retrieval ghsa-retrieval mentioned this issue May 16, 2024
Open
tdruez added a commit that referenced this issue May 16, 2024
@tdruez
Improve the CycloneDX SBOM pre-validation fixes #1230
5596a7d 
Signed-off-by: tdruez <[email protected]>
@ghsa-retrieval
Copy link
Author

ghsa-retrieval commented May 16, 2024
edited
Loading

This is caused by missing support in cyclonedx-python-lib, see:
CycloneDX/cyclonedx-python-lib#578

@tdruez
Copy link
Contributor

tdruez commented May 16, 2024

@ghsa-retrieval We already added some workaround for those issues in #1171
I'm now refining those fixes in #1232 to support your SBOM examples.

@tdruez tdruez closed this as completed in 37a43ba May 16, 2024
@tdruez
Copy link
Contributor

tdruez commented May 16, 2024

@ghsa-retrieval The fix is now available in the main branch. Would you mind to give it a try and confirm that you can now load the problematic SBOM?

@ghsa-retrieval
Copy link
Author

@tdruez It works correctly now. Thank you!

@tdruez
Copy link
Contributor

tdruez commented May 16, 2024

@ghsa-retrieval Thanks for checking!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tdruez @ghsa-retrieval