Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WARN unable to convert relationship from CycloneDX 1.3 JSON #980

Closed
tillepille opened this issue May 2, 2022 · 5 comments
Closed

WARN unable to convert relationship from CycloneDX 1.3 JSON #980

tillepille opened this issue May 2, 2022 · 5 comments
Labels
bug Something isn't working

Comments

@tillepille
Copy link

What happened:
Since version v0.45.0 I see a lot of warnings when generating a sbom via

$ syft --scope all-layers -o cyclonedx-json nginx
...
 WARN unable to convert relationship from CycloneDX 1.3 JSON, dropping: {From:Pkg(name="zlib1g" version="1:1.2.11.dfsg-2+deb11u1" type="deb" id="eda9db1f3f3729c1") To:Location<RealPath="/usr/share/doc/zlib1g/copyright" Layer="sha256:9c1b6dd6c1e6be9fdd2b1987783824670d3b0dd7ae8ad6f57dc3cea5739ac71e"> Type:contains Data:<nil>}
...

What you expected to happen:
Generation of sbom works without any warnings

How to reproduce it (as minimally and precisely as possible):
use -o cyclonedx-json or -o cyclonedx-xml

Anything else we need to know?:

Environment:

  • Output of syft version:
Application:        syft
Version:            0.45.0
JsonSchemaVersion:  3.2.2
BuildDate:          2022-04-29T15:47:45Z
GitCommit:          36973021fad57baf443ffa88181394b87ce109a0
GitDescription:     v0.45.0
Platform:           darwin/arm64
GoVersion:          go1.18.1
Compiler:           gc

I also tested with

Application:        syft
Version:            0.45.0
JsonSchemaVersion:  3.2.2
BuildDate:          2022-04-29T15:47:45Z
GitCommit:          36973021fad57baf443ffa88181394b87ce109a0
GitDescription:     v0.45.0
Platform:           linux/amd64
GoVersion:          go1.18.1
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar): macOS 12.3.1 / docker container anchore/syft:v0.45.0
@tillepille tillepille added the bug Something isn't working label May 2, 2022
@jeremywood-ai
Copy link

Acknowledging the bug continues into 0.45.1

.\bin\syft.exe version
Application: syft
Version: 0.45.1
JsonSchemaVersion: 3.2.2
BuildDate: 2022-05-03T14:44:04Z
GitCommit: 37927b8
GitDescription: v0.45.1
Platform: windows/amd64
GoVersion: go1.18.1
Compiler: gc

@kzantow
Copy link
Contributor

kzantow commented May 11, 2022

I'll have to dig in to this a big more, but generally speaking the WARN unable to convert relationship means Syft has a relationship that does not map to another format, so this is somewhat expected.

@spiffcs
Copy link
Contributor

spiffcs commented Jul 28, 2022

Looks like this issue was resolved I ran the following command:
Image

Let me know if you're still seeing the issue otherwise we'll close this. Thanks for filing the bug!

@spiffcs spiffcs closed this as completed Jul 28, 2022
@tillepille
Copy link
Author

Yes, tested with syft 0.52.0 and I can confirm this seems to be resolved!

@aniketdn-ff
Copy link

I am using Syft version 0.53.4 and still facing this issue when. I see those warnings on running it with debug mode(-vv). As a result of which there are no dependencies in the CycloneDX SBOM.

Warnings as follows:
Screen Shot 2022-08-17 at 12 17 16 PM

However, on generating a SBOM in SPDX format for the same container using Syft, I was able to see this dependency in the SBOM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kzantow @tillepille @spiffcs @jeremywood-ai @aniketdn-ff