Skip to content

Commit

Permalink
fix(sbom): fix panic when scanning SBOM file without root component i…
Browse files Browse the repository at this point in the history
…nto SBOM format (aquasecurity#7051)
  • Loading branch information
DmitriyLewen authored and skahn007gl committed Jul 23, 2024
1 parent 5f9394a commit c00068d
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 1 deletion.
3 changes: 2 additions & 1 deletion pkg/sbom/io/encode.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,8 @@ func (e *Encoder) rootComponent(r types.Report) (*core.Component, error) {
root.Type = core.TypeRepository
case artifact.TypeCycloneDX, artifact.TypeSPDX:
// When we scan SBOM file
if r.BOM != nil {
// If SBOM file doesn't contain root component - use filesystem
if r.BOM != nil && r.BOM.Root() != nil {
return r.BOM.Root(), nil
}
// When we scan a `json` file (meaning a file in `json` format) which was created from the SBOM file.
Expand Down
55 changes: 55 additions & 0 deletions pkg/sbom/io/encode_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -705,6 +705,53 @@ func TestEncoder_Encode(t *testing.T) {
},
wantVulns: make(map[uuid.UUID][]core.Vulnerability),
},
{
name: "SBOM file without root component",
report: types.Report{
SchemaVersion: 2,
ArtifactName: "report.cdx.json",
ArtifactType: artifact.TypeCycloneDX,
Results: []types.Result{
{
Target: "Java",
Type: ftypes.Jar,
Class: types.ClassLangPkg,
Packages: []ftypes.Package{
{
ID: "org.apache.logging.log4j:log4j-core:2.23.1",
Name: "org.apache.logging.log4j:log4j-core",
Version: "2.23.1",
Identifier: ftypes.PkgIdentifier{
UID: "6C0AE96901617503",
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "org.apache.logging.log4j",
Name: "log4j-core",
Version: "2.23.1",
},
},
FilePath: "log4j-core-2.23.1.jar",
},
},
},
},
BOM: newTestBOM2(t),
},
wantComponents: map[uuid.UUID]*core.Component{
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): fsComponent,
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): libComponent,
},
wantRels: map[uuid.UUID][]core.Relationship{
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): {
{
Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"),
Type: core.RelationshipContains,
},
},
uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): nil,
},
wantVulns: make(map[uuid.UUID][]core.Vulnerability),
},
{
name: "json file created from SBOM file (BOM is empty)",
report: types.Report{
Expand Down Expand Up @@ -860,3 +907,11 @@ func newTestBOM(t *testing.T) *core.BOM {
bom.AddComponent(appComponent)
return bom
}

// BOM without root component
func newTestBOM2(t *testing.T) *core.BOM {
uuid.SetFakeUUID(t, "2ff14136-e09f-4df9-80ea-%012d")
bom := core.NewBOM(core.Options{})
bom.AddComponent(libComponent)
return bom
}

0 comments on commit c00068d

Please sign in to comment.