Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

invalid package url type: dotnet #1622

Closed
felickz opened this issue Feb 24, 2023 · 3 comments · Fixed by #1649
Closed

invalid package url type: dotnet #1622

felickz opened this issue Feb 24, 2023 · 3 comments · Fixed by #1649
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@felickz
Copy link

felickz commented Feb 24, 2023
edited
Loading

Testing out capabilities on a small .NET test repo. The detector is finding a deps.json and reporting package type as dotnet ... should be nuget?

Config

      - uses: anchore/sbom-action@v0
        if: runner.os != 'Windows'
        with:
          path: .
          dependency-snapshot: true

Logs showing the errror:

  "data": {
    "message": "invalid package url: in manifest \"ProCodeGuide.Samples.Automapper/bin/Debug/netcoreapp3.1/ProCodeGuide.Samples.Automapper.deps.json\" decoding \"pkg:dotnet/AutoMapper@9.0.0\": invalid package url type: dotnet",
    "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository"
  }
@kzantow
Copy link
Contributor

kzantow commented Feb 24, 2023

Thanks for the report @felickz! I'm moving this to the Syft project, as that is where PURLs get generated.

@kzantow kzantow transferred this issue from anchore/sbom-action Feb 24, 2023
@xopham xopham mentioned this issue Feb 27, 2023
Open
@xopham
Copy link

xopham commented Feb 28, 2023

@felickz @kzantow I believe that we are experiencing the same / a very similar issue. Running anchore/sbom action with dependency submission via dependency-snapshot: true as a reusable job:

  dependency-submission:
    name: syft / dependency review
    runs-on: ubuntu-latest
    permissions:
      packages: read
      contents: write
    steps:
    - name: Login with registry
      if: inputs.registry != ''
      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
      with:
        registry: ${{ inputs.registry }}
        username: ${{ inputs.repo_owner }}
        password: ${{ inputs.repo_token }}
    - name: Run
      uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
      with:
        image: ${{ inputs.image }}
        format: cyclonedx-json
        dependency-snapshot: true

This fails with: "invalid package url: in manifest \"docker.io/securesystemsengineering/connaisseur:v2.8.0:/bin/busybox\" decoding \"\": scheme is missing"

Complete log ```bash Error uploading depdendency snapshot: { "url": "https://api.github.com/repos/xopham/connaisseur/dependency-graph/snapshots", "status": 422, "headers": { "access-control-allow-origin": "*", "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset", "connection": "close", "content-length": "279", "content-security-policy": "default-src 'none'", "content-type": "application/json; charset=utf-8", "date": "Mon, 27 Feb 2023 23:13:49 GMT", "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin", "server": "github.com", "strict-transport-security": "max-age=31536000; includeSubdomains; preload", "vary": "Accept-Encoding, Accept, X-Requested-With", "x-content-type-options": "nosniff", "x-frame-options": "deny", "x-github-api-version-selected": "2022-11-28", "x-github-media-type": "github.v3; format=json", "x-github-request-id": "4410:2CE3:6E44F35:E35EE2B:63FD392D", "x-ratelimit-limit": "100", "x-ratelimit-remaining": "99", "x-ratelimit-reset": "1677539689", "x-ratelimit-resource": "dependency_snapshots", "x-ratelimit-used": "1", "x-xss-protection": "0" }, "data": { "message": "invalid package url: in manifest \"docker.io/securesystemsengineering/connaisseur:v2.8.0:/bin/busybox\" decoding \"\": scheme is missing", "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository" } } ```

Great work by the way! Really enjoying the new anchore tooling 🚀

@jain-ranjith
Copy link

We are exploring using Syft along with the Dependency track on a dotnet project. For the package URL "pkg:dotnet/xxxxxx ", the dependency tracker does not show any results.
If I correct the package URL to "pkg:nuget/xxxxxx" the dependency tracker lists associated vulnerabilities.

It seems Syft generated SBOMS are having wrong package URL "pkg:dotnet/xxxxxx " instead of "pkg:nuget/xxxxxx" .

@kzantow kzantow moved this to In Progress in OSS Mar 2, 2023
@kzantow kzantow self-assigned this Mar 2, 2023
This was referenced Mar 3, 2023
Merged
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in OSS Mar 3, 2023
@kzantow kzantow added the bug Something isn't working label Mar 9, 2023
This was referenced Mar 9, 2023
Open
Open
Closed
Closed
Merged
Closed
Closed
Merged
@dependabot dependabot bot mentioned this issue Mar 20, 2023
Closed
@jamietanna jamietanna mentioned this issue Jan 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: dotnet PURL types are invalid kzantow-anchore/syft
4 participants
@felickz @kzantow @xopham @jain-ranjith