Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sbom): fix panic when scanning SBOM file without root component into SBOM format #7051

Merged
merged 7 commits into from
Jun 28, 2024
Merged

fix(sbom): fix panic when scanning SBOM file without root component into SBOM format #7051

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cbeabe1
fix(bom): Use `core.TypeFilesystem` if there is no root component in BOM
DmitriyLewen Jun 28, 2024
afb0428
test(bom): add test
DmitriyLewen Jun 28, 2024
90f88ad
test(bom): avoid overwriting UID in `libComponentWithUID` function
DmitriyLewen Jun 28, 2024
c4c413a
refactor
DmitriyLewen Jun 28, 2024
9afe959
test(encode): remove unneeded UID
DmitriyLewen Jun 28, 2024
70cd355
Merge branch 'main' of github.com:DmitriyLewen/trivy into fix-bom-cor…
DmitriyLewen Jun 28, 2024
32ad23f
test(encode): add UID
DmitriyLewen Jun 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion pkg/sbom/io/encode.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,8 @@ func (e *Encoder) rootComponent(r types.Report) (*core.Component, error) {
root.Type = core.TypeRepository
case artifact.TypeCycloneDX, artifact.TypeSPDX:
// When we scan SBOM file
if r.BOM != nil {
// If SBOM file doesn't contain root component - use filesystem
if r.BOM != nil && r.BOM.Root() != nil {
return r.BOM.Root(), nil
}
// When we scan a `json` file (meaning a file in `json` format) which was created from the SBOM file.
Expand Down
54 changes: 54 additions & 0 deletions pkg/sbom/io/encode_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -705,6 +705,52 @@ func TestEncoder_Encode(t *testing.T) {
},
wantVulns: make(map[uuid.UUID][]core.Vulnerability),
},
{
name: "SBOM file without root component",
report: types.Report{
SchemaVersion: 2,
ArtifactName: "report.cdx.json",
ArtifactType: artifact.TypeCycloneDX,
Results: []types.Result{
{
Target: "Java",
Type: ftypes.Jar,
Class: types.ClassLangPkg,
Packages: []ftypes.Package{
{
ID: "org.apache.logging.log4j:log4j-core:2.23.1",
Name: "org.apache.logging.log4j:log4j-core",
Version: "2.23.1",
Identifier: ftypes.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "org.apache.logging.log4j",
Name: "log4j-core",
Version: "2.23.1",
},
},
FilePath: "log4j-core-2.23.1.jar",
},
},
},
},
BOM: newTestBOM2(t),
},
wantComponents: map[uuid.UUID]*core.Component{
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): fsComponent,
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): libComponent,
},
wantRels: map[uuid.UUID][]core.Relationship{
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): {
{
Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"),
Type: core.RelationshipContains,
},
},
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): nil,
},
wantVulns: make(map[uuid.UUID][]core.Vulnerability),
},
{
name: "json file created from SBOM file (BOM is empty)",
report: types.Report{
Expand Down Expand Up @@ -860,3 +906,11 @@ func newTestBOM(t *testing.T) *core.BOM {
bom.AddComponent(appComponent)
return bom
}

// BOM without root component
func newTestBOM2(t *testing.T) *core.BOM {
uuid.SetFakeUUID(t, "2ff14136-e09f-4df9-80ea-%012d")
bom := core.NewBOM(core.Options{})
bom.AddComponent(libComponent)
return bom
}
Loading