Skip to content

Commit

Permalink
fix(sbom): fix panic for convert mode when scanning json file deriv…
Browse files Browse the repository at this point in the history
…ed from sbom file (aquasecurity#6808)
  • Loading branch information
DmitriyLewen authored May 30, 2024
1 parent aa59489 commit f92ea09
Show file tree
Hide file tree
Showing 2 changed files with 163 additions and 2 deletions.
11 changes: 9 additions & 2 deletions pkg/sbom/io/encode.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,15 @@ func (e *Encoder) rootComponent(r types.Report) (*core.Component, error) {
root.Type = core.TypeFilesystem
case artifact.TypeRepository:
root.Type = core.TypeRepository
case artifact.TypeCycloneDX:
return r.BOM.Root(), nil
case artifact.TypeCycloneDX, artifact.TypeSPDX:
// When we scan SBOM file
if r.BOM != nil {
return r.BOM.Root(), nil
}
// When we scan a `json` file (meaning a file in `json` format) which was created from the SBOM file.
// e.g. for use in `convert` mode.
// See https://github.com/aquasecurity/trivy/issues/6780
root.Type = core.TypeFilesystem
}

if r.Metadata.Size != 0 {
Expand Down
154 changes: 154 additions & 0 deletions pkg/sbom/io/encode_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -535,6 +535,97 @@ func TestEncoder_Encode(t *testing.T) {
},
wantVulns: make(map[uuid.UUID][]core.Vulnerability),
},
{
name: "SBOM file",
report: types.Report{
SchemaVersion: 2,
ArtifactName: "report.cdx.json",
ArtifactType: artifact.TypeCycloneDX,
Results: []types.Result{
{
Target: "Java",
Type: ftypes.Jar,
Class: types.ClassLangPkg,
Packages: []ftypes.Package{
{
ID: "org.apache.logging.log4j:log4j-core:2.23.1",
Name: "org.apache.logging.log4j:log4j-core",
Version: "2.23.1",
Identifier: ftypes.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "org.apache.logging.log4j",
Name: "log4j-core",
Version: "2.23.1",
},
},
FilePath: "log4j-core-2.23.1.jar",
},
},
},
},
BOM: newTestBOM(t),
},
wantComponents: map[uuid.UUID]*core.Component{
uuid.MustParse("2ff14136-e09f-4df9-80ea-000000000001"): appComponent,
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): libComponent,
},
wantRels: map[uuid.UUID][]core.Relationship{
uuid.MustParse("2ff14136-e09f-4df9-80ea-000000000001"): {
{
Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"),
Type: core.RelationshipContains,
},
},
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): nil,
},
wantVulns: make(map[uuid.UUID][]core.Vulnerability),
},
{
name: "json file created from SBOM file (BOM is empty)",
report: types.Report{
SchemaVersion: 2,
ArtifactName: "report.cdx.json",
ArtifactType: artifact.TypeCycloneDX,
Results: []types.Result{
{
Target: "Java",
Type: ftypes.Jar,
Class: types.ClassLangPkg,
Packages: []ftypes.Package{
{
ID: "org.apache.logging.log4j:log4j-core:2.23.1",
Name: "org.apache.logging.log4j:log4j-core",
Version: "2.23.1",
Identifier: ftypes.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "org.apache.logging.log4j",
Name: "log4j-core",
Version: "2.23.1",
},
},
FilePath: "log4j-core-2.23.1.jar",
},
},
},
},
},
wantComponents: map[uuid.UUID]*core.Component{
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): fsComponent,
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): libComponent,
},
wantRels: map[uuid.UUID][]core.Relationship{
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): {
{
Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"),
Type: core.RelationshipContains,
},
},
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): nil,
},
wantVulns: make(map[uuid.UUID][]core.Vulnerability),
},
{
name: "invalid digest",
report: types.Report{
Expand Down Expand Up @@ -580,3 +671,66 @@ func TestEncoder_Encode(t *testing.T) {
})
}
}

var (
appComponent = &core.Component{
Root: true,
Type: core.TypeApplication,
Name: "log4j-core-2.23.1.jar",
}
fsComponent = &core.Component{
Root: true,
Type: core.TypeFilesystem,
Name: "report.cdx.json",
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "3ff14136-e09f-4df9-80ea-000000000001",
},
Properties: core.Properties{
{
Name: "SchemaVersion",
Value: "2",
},
},
}
libComponent = &core.Component{
Type: core.TypeLibrary,
Name: "log4j-core",
Group: "org.apache.logging.log4j",
Version: "2.23.1",
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "pkg:maven/org.apache.logging.log4j/[email protected]",
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "org.apache.logging.log4j",
Name: "log4j-core",
Version: "2.23.1",
},
},
Files: []core.File{
{
Path: "log4j-core-2.23.1.jar",
},
},
Properties: core.Properties{
{
Name: "FilePath",
Value: "log4j-core-2.23.1.jar",
},
{
Name: "PkgID",
Value: "org.apache.logging.log4j:log4j-core:2.23.1",
},
{
Name: "PkgType",
Value: "jar",
},
},
}
)

func newTestBOM(t *testing.T) *core.BOM {
uuid.SetFakeUUID(t, "2ff14136-e09f-4df9-80ea-%012d")
bom := core.NewBOM(core.Options{})
bom.AddComponent(appComponent)
return bom
}

0 comments on commit f92ea09

Please sign in to comment.