fix: output invalid PURLs when scanning sboms (#1283)

While I believe such situations indicate a bug in the tool used to generate the SBOM, outputting the PURLs should make it easier to debug the issue. Resolves #86
google · Sep 30, 2024 · 3591365 · 3591365
1 parent 866b3e0
commit 3591365
Show file tree

Hide file tree

Showing 4 changed files with 613 additions and 6 deletions.
diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap
@@ -540,6 +540,12 @@ Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 1 package
 [TestRun/folder_of_supported_sbom_with_vulns - 1]
 Scanning dir ./fixtures/sbom-insecure/
 Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 14 packages
+Scanned <rootdir>/fixtures/sbom-insecure/bad-purls.cdx.xml as CycloneDX SBOM and found 8 packages
+Ignored 6 packages with invalid PURLs
+Ignored invalid PURL "/"
+Ignored invalid PURL "pkg:///"
+Ignored invalid PURL "pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2"
+Ignored invalid PURL "pkg:pypi/"
 Scanned <rootdir>/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages
 +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
 | OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                        | VERSION                            | SOURCE                                          |
@@ -688,6 +694,21 @@ No issues found
 
 ---
 
+[TestRun/one_specific_supported_sbom_with_invalid_PURLs - 1]
+Scanned <rootdir>/fixtures/sbom-insecure/bad-purls.cdx.xml as CycloneDX SBOM and found 8 packages
+Ignored 6 packages with invalid PURLs
+Ignored invalid PURL "/"
+Ignored invalid PURL "pkg:///"
+Ignored invalid PURL "pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2"
+Ignored invalid PURL "pkg:pypi/"
+No issues found
+
+---
+
+[TestRun/one_specific_supported_sbom_with_invalid_PURLs - 2]
+
+---
+
 [TestRun/one_specific_supported_sbom_with_vulns - 1]
 Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 14 packages
 +--------------------------------+------+-----------+---------+-----------+---------------------------------------+