Pick up CycloneDX BOM components from metadata as well #3092
Conversation
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
|
Hey @dervoeti , this looks like a good change but I'd mention two things:
|
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
dervoeti
force-pushed
the
fix/cyclonedx-bom-components-from-metadata
branch
from
25348c4
to
671684e
Compare
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
dervoeti
force-pushed
the
fix/cyclonedx-bom-components-from-metadata
branch
from
4f91340
to
390fc91
Compare
|
Thanks for the quick reply! I added an integration test with a handcrafted CycloneDX SBOM. Regarding the Syft generated |
|
Hi @dervoeti , Syft outputs appropriate component types for the metadata.component: For example: or I think this should could probably check for the CycloneDX component type being only those appropriate to create packages. My feeling looking at the list is, this would include: |
|
It looks like when Syft constructs the source object it is explicitly checking for |
…type Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
|
Yeah I think your list sounds reasonable, I implemented it that way now 🙂 For my use case only |
| @@ -39,11 +39,32 @@ func ToSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) { | |||
| } | |||
|
|
|||
| func collectBomPackages(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]interface{}) error { | |||
| if bom.Components == nil { | |||
| components := []cyclonedx.Component{} | |||
There was a problem hiding this comment.
I think this change could be simplified to just adding this block:
if bom.Metadata.Component != nil
collectPackages(bom.Metadata.Component, s, idMap)
}
... and in the collectPackages, we should be recursively adding sub-components, and checking for the type being one of the right types, which it looks like it's doing already
There was a problem hiding this comment.
Sorry I should have looked at exactly what the code was doing there before sending you down a path to implement an unnecessary thing 🤦
There was a problem hiding this comment.
No worries, I also didn't see the logic was already present. Good thing you spotted it, I refactored it, the change is much simpler now 👍
There was a problem hiding this comment.
I may have missed suggesting a bom.Metadata != nil bit
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
…omponents-from-metadata
I'm building a docker image containing multiple Java applications. For those applications, I generate CycloneDX SBOMs at build time using cyclonedx-maven-plugin, which are placed in the docker image alongside the applications.
cyclonedx-maven-plugin stores the application component itself (e.g.
my-java-app@1.2.3) inside the.metadata.componentattribute of the SBOM. It does not provide it again in the.componentsattribute of the SBOM. This seems to be correct.When I scan the image using Syft, the sbom-cataloger picks up the SBOMs of the Java applications, but it does not recognize the component in
.metadata.component. So the main component and its direct dependency relations to sub-components are lost in the SBOM Syft produces for the image.This PR fixes that by collecting
.metadata.componentas a package as well, additionally to.components. I tested this for my use case and it provided the expected result.I'm not an expert on CycloneDX or Syft, so I have no idea whether this is an idiomatic way of implementing it or it has any side effects, hence I made this a draft PR. As mentioned, it works fine for my use case.