From cbeabe1105703160ed09bb855ea0124ac508c97b Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 28 Jun 2024 11:23:40 +0600 Subject: [PATCH 1/6] fix(bom): Use `core.TypeFilesystem` if there is no root component in BOM --- pkg/sbom/io/encode.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/sbom/io/encode.go b/pkg/sbom/io/encode.go index 9672f1648dc6..590935bb3dba 100644 --- a/pkg/sbom/io/encode.go +++ b/pkg/sbom/io/encode.go @@ -86,7 +86,10 @@ func (e *Encoder) rootComponent(r types.Report) (*core.Component, error) { case artifact.TypeCycloneDX, artifact.TypeSPDX: // When we scan SBOM file if r.BOM != nil { - return r.BOM.Root(), nil + // If SBOM file doesn't contain root component - use filesystem + if bomRoot := r.BOM.Root(); bomRoot != nil { + return bomRoot, nil + } } // When we scan a `json` file (meaning a file in `json` format) which was created from the SBOM file. // e.g. for use in `convert` mode. From afb04280dd6226e4f9af5e75da753e4dda32537d Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 28 Jun 2024 11:23:51 +0600 Subject: [PATCH 2/6] test(bom): add test --- pkg/sbom/io/encode_test.go | 61 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/pkg/sbom/io/encode_test.go b/pkg/sbom/io/encode_test.go index d165b64c3e80..c9bdf4b62b03 100644 --- a/pkg/sbom/io/encode_test.go +++ b/pkg/sbom/io/encode_test.go @@ -581,6 +581,53 @@ func TestEncoder_Encode(t *testing.T) { }, wantVulns: make(map[uuid.UUID][]core.Vulnerability), }, + { + name: "SBOM file without root component", + report: types.Report{ + SchemaVersion: 2, + ArtifactName: "report.cdx.json", + ArtifactType: artifact.TypeCycloneDX, + Results: []types.Result{ + { + Target: "Java", + Type: ftypes.Jar, + Class: types.ClassLangPkg, + Packages: []ftypes.Package{ + { + ID: "org.apache.logging.log4j:log4j-core:2.23.1", + Name: "org.apache.logging.log4j:log4j-core", + Version: "2.23.1", + Identifier: ftypes.PkgIdentifier{ + UID: "6C0AE96901617503", + PURL: &packageurl.PackageURL{ + Type: packageurl.TypeMaven, + Namespace: "org.apache.logging.log4j", + Name: "log4j-core", + Version: "2.23.1", + }, + }, + FilePath: "log4j-core-2.23.1.jar", + }, + }, + }, + }, + BOM: newTestBOM2(t), + }, + wantComponents: map[uuid.UUID]*core.Component{ + uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): fsComponent, + uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): libComponentWithUID(), + }, + wantRels: map[uuid.UUID][]core.Relationship{ + uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): { + { + Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"), + Type: core.RelationshipContains, + }, + }, + uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): nil, + }, + wantVulns: make(map[uuid.UUID][]core.Vulnerability), + }, { name: "json file created from SBOM file (BOM is empty)", report: types.Report{ @@ -728,9 +775,23 @@ var ( } ) +func libComponentWithUID() *core.Component { + component := libComponent + component.PkgIdentifier.UID = "6C0AE96901617503" + return component +} + func newTestBOM(t *testing.T) *core.BOM { uuid.SetFakeUUID(t, "2ff14136-e09f-4df9-80ea-%012d") bom := core.NewBOM(core.Options{}) bom.AddComponent(appComponent) return bom } + +// BOM without root component +func newTestBOM2(t *testing.T) *core.BOM { + uuid.SetFakeUUID(t, "2ff14136-e09f-4df9-80ea-%012d") + bom := core.NewBOM(core.Options{}) + bom.AddComponent(libComponent) + return bom +} From 90f88addc2c1c8ead8f20f98b8968c4791e9e76f Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 28 Jun 2024 12:13:09 +0600 Subject: [PATCH 3/6] test(bom): avoid overwriting UID in `libComponentWithUID` function --- pkg/sbom/io/encode_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/sbom/io/encode_test.go b/pkg/sbom/io/encode_test.go index c9bdf4b62b03..e12e80f33230 100644 --- a/pkg/sbom/io/encode_test.go +++ b/pkg/sbom/io/encode_test.go @@ -4,6 +4,7 @@ import ( "testing" "github.com/package-url/packageurl-go" + "github.com/samber/lo" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -776,9 +777,9 @@ var ( ) func libComponentWithUID() *core.Component { - component := libComponent + component := lo.FromPtr(libComponent) component.PkgIdentifier.UID = "6C0AE96901617503" - return component + return lo.ToPtr(component) } func newTestBOM(t *testing.T) *core.BOM { From c4c413abd190140aa0453fd13f5d7e79b883f050 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 28 Jun 2024 13:21:58 +0600 Subject: [PATCH 4/6] refactor --- pkg/sbom/io/encode.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkg/sbom/io/encode.go b/pkg/sbom/io/encode.go index 590935bb3dba..87fbe2ef96fc 100644 --- a/pkg/sbom/io/encode.go +++ b/pkg/sbom/io/encode.go @@ -85,11 +85,9 @@ func (e *Encoder) rootComponent(r types.Report) (*core.Component, error) { root.Type = core.TypeRepository case artifact.TypeCycloneDX, artifact.TypeSPDX: // When we scan SBOM file - if r.BOM != nil { - // If SBOM file doesn't contain root component - use filesystem - if bomRoot := r.BOM.Root(); bomRoot != nil { - return bomRoot, nil - } + // If SBOM file doesn't contain root component - use filesystem + if r.BOM != nil && r.BOM.Root() != nil { + return r.BOM.Root(), nil } // When we scan a `json` file (meaning a file in `json` format) which was created from the SBOM file. // e.g. for use in `convert` mode. From 9afe959a79807eb827d601cae1def9bd6aee8a40 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 28 Jun 2024 13:25:13 +0600 Subject: [PATCH 5/6] test(encode): remove unneeded UID --- pkg/sbom/io/encode_test.go | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/pkg/sbom/io/encode_test.go b/pkg/sbom/io/encode_test.go index e12e80f33230..c835312efb3f 100644 --- a/pkg/sbom/io/encode_test.go +++ b/pkg/sbom/io/encode_test.go @@ -4,7 +4,6 @@ import ( "testing" "github.com/package-url/packageurl-go" - "github.com/samber/lo" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -599,7 +598,6 @@ func TestEncoder_Encode(t *testing.T) { Name: "org.apache.logging.log4j:log4j-core", Version: "2.23.1", Identifier: ftypes.PkgIdentifier{ - UID: "6C0AE96901617503", PURL: &packageurl.PackageURL{ Type: packageurl.TypeMaven, Namespace: "org.apache.logging.log4j", @@ -616,7 +614,7 @@ func TestEncoder_Encode(t *testing.T) { }, wantComponents: map[uuid.UUID]*core.Component{ uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): fsComponent, - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): libComponentWithUID(), + uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): libComponent, }, wantRels: map[uuid.UUID][]core.Relationship{ uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): { @@ -776,12 +774,6 @@ var ( } ) -func libComponentWithUID() *core.Component { - component := lo.FromPtr(libComponent) - component.PkgIdentifier.UID = "6C0AE96901617503" - return lo.ToPtr(component) -} - func newTestBOM(t *testing.T) *core.BOM { uuid.SetFakeUUID(t, "2ff14136-e09f-4df9-80ea-%012d") bom := core.NewBOM(core.Options{}) From 32ad23f31c7c5cb10d507c9c94cdc9a1cfef8d17 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 28 Jun 2024 15:20:44 +0600 Subject: [PATCH 6/6] test(encode): add UID --- pkg/sbom/io/encode_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/sbom/io/encode_test.go b/pkg/sbom/io/encode_test.go index bbc7485a2a2a..80783827cee7 100644 --- a/pkg/sbom/io/encode_test.go +++ b/pkg/sbom/io/encode_test.go @@ -722,6 +722,7 @@ func TestEncoder_Encode(t *testing.T) { Name: "org.apache.logging.log4j:log4j-core", Version: "2.23.1", Identifier: ftypes.PkgIdentifier{ + UID: "6C0AE96901617503", PURL: &packageurl.PackageURL{ Type: packageurl.TypeMaven, Namespace: "org.apache.logging.log4j",