Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decoding of sparse CycloneDX does not set language #953

Closed
jonmcewen opened this issue Apr 13, 2022 · 0 comments
Closed

Decoding of sparse CycloneDX does not set language #953

jonmcewen opened this issue Apr 13, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@jonmcewen
Copy link
Contributor

What happened:

When using grype to check a CycloneDX SBOM not produced by syft, Java vulnerabilities were not detected.

What you expected to happen:

Vulnerabilities should be found by language when there is no CPE and no syft metadata

How to reproduce it (as minimally and precisely as possible):

Using a CycloneDX SBOM with minimal component info and known CVEs such as:

{
  "name" : "log4j-core",
  "version" : "2.13.3",
  "purl" : "pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3?type=jar",
  "type" : "library",
  "bom-ref" : "pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3?type=jar"
},

Running grype will not find any CVEs.

Anything else we need to know?:

PR coming shortly...

Environment:

  • Output of syft version: v0.42.4
  • OS (e.g: cat /etc/os-release or similar): any
@jonmcewen jonmcewen added the bug Something isn't working label Apr 13, 2022
jonmcewen added a commit to jonmcewen/syft that referenced this issue Apr 13, 2022
@jonmcewen
fix: anchore#953 Derive language from pURL - anchore#953
f87d695 
Signed-off-by: Jon McEwen <jon_mcewen@hotmail.com>
@jonmcewen jonmcewen mentioned this issue Apr 13, 2022
Closed
jonmcewen added a commit to jonmcewen/syft that referenced this issue Apr 13, 2022
@jonmcewen
fix: anchore#953 Derive language from pURL - anchore#953
a24e35a 
Signed-off-by: Jon McEwen <jon_mcewen@hotmail.com>
This was referenced Apr 13, 2022
Merged
Closed
spiffcs added a commit that referenced this issue May 2, 2022
@spiffcs
Merge branch 'main' into 835-keyless-attestation-upgrade
cb25858 
* main: (31 commits)
  reduce noise of log output (#976)
  add version info and remove double config call (#977)
  Rename syft-id to package-id (#970)
  update to cyclonedx-go 0.5.2 (#971)
  refactor command package to remove globals and add dependency injection
  fix: #953 Derive language from pURL - https://github.com/anchore/syft… (#957)
  Fix typo in CPE-parsing error (#966)
  Preserve syft IDs on SBOM decode (#963)
  Update GitHub format package_url and correlator (#961)
  Ensure SPDXIDs are valid (#955)
  Auto-PR needs to run go mod tidy (#958)
  Add workflow for automatic PR for new stereoscope updates (#954)
  Minor readme update to correct format information (#948)
  Update spdx22json to only take uppercase checksum algorithm (#946)
  add additional vendors for springframework (#945)
  Add digest property to parent and nested java package metadata (#941)
  Update write permissions and log into ghcr.io for release (#942)
  Retry auth URL lookup without docker credentialhelper workaround (#939)
  Ensure that all cyclonedx components have bom-refs (#914)
  Additionally publish docker images to GHCR (#934)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
rigzba21 pushed a commit to rigzba21/syft that referenced this issue May 5, 2022
@jonmcewen @rigzba21
fix: anchore#953 Derive language from pURL - https://github.com/ancho…
89b7c39 
…re/syft… (anchore#957)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: rigzba21 <jonathan.velando01@gmail.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this issue Feb 19, 2024
@jonmcewen
fix: anchore#953 Derive language from pURL - https://github.com/ancho…
2a7265a 
…re/syft… (anchore#957)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jonmcewen