Failure on SBOM from cdxgen 11.0.0 #2263
Labels
bug
Something isn't working
Comments
metametadata
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
What you expected to happen:
No error.
How to reproduce it (as minimally and precisely as possible):
Use
cdxgen11.0.0 to generate an SBOM frompom.xml:Then run Grype 0.84.0:
sbom.json:Click me
{ "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:427c8220-455c-4270-8639-f63001b38d46", "version": 1, "metadata": { "timestamp": "2024-11-16T21:58:42Z", "tools": { "components": [ { "group": "@cyclonedx", "name": "cdxgen", "version": "11.0.0", "purl": "pkg:npm/%40cyclonedx/[email protected]", "type": "application", "bom-ref": "pkg:npm/@cyclonedx/[email protected]", "publisher": "OWASP Foundation", "authors": [ { "name": "OWASP Foundation" } ] } ] }, "authors": [ { "name": "OWASP Foundation" } ], "lifecycles": [ { "phase": "build" } ], "component": { "group": "foo", "name": "bar", "version": "1.0.0", "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ], "purl": "pkg:maven/foo/[email protected]?type=jar", "bom-ref": "pkg:maven/foo/[email protected]?type=jar", "type": "application" }, "properties": [ { "name": "cdx:bom:componentTypes", "value": "maven" }, { "name": "cdx:bom:componentNamespaces", "value": "com.google.protobuf\\ncom.mysql" } ] }, "components": [ { "group": "com.mysql", "name": "mysql-connector-j", "version": "9.0.0", "scope": "required", "purl": "pkg:maven/com.mysql/[email protected]?type=jar", "type": "library", "bom-ref": "pkg:maven/com.mysql/[email protected]?type=jar", "evidence": { "identity": [ { "field": "purl", "confidence": 0.5, "methods": [ { "technique": "manifest-analysis", "confidence": 0.5, "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } ] }, "properties": [ { "name": "cdx:maven:component_scope", "value": "compile" }, { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] }, { "group": "com.google.protobuf", "name": "protobuf-java", "version": "4.26.1", "scope": "required", "purl": "pkg:maven/com.google.protobuf/[email protected]?type=jar", "type": "library", "bom-ref": "pkg:maven/com.google.protobuf/[email protected]?type=jar", "evidence": { "identity": [ { "field": "purl", "confidence": 0.5, "methods": [ { "technique": "manifest-analysis", "confidence": 0.5, "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } ] }, "properties": [ { "name": "cdx:maven:component_scope", "value": "compile" }, { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } ], "dependencies": [ { "ref": "pkg:maven/foo/[email protected]?type=jar", "dependsOn": [ "pkg:maven/com.mysql/[email protected]?type=jar" ] }, { "ref": "pkg:maven/com.mysql/[email protected]?type=jar", "dependsOn": [ "pkg:maven/com.google.protobuf/[email protected]?type=jar" ] }, { "ref": "pkg:maven/com.google.protobuf/[email protected]?type=jar", "dependsOn": [] } ], "annotations": [] }Notes
Differences between 10.10.7 (works with Grype) and 11.0.0
cdxgenoutput:sbom.jsonfromcdxgen10.10.7:Click me
{ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:fb64f67b-e07b-473c-bac0-d0d298266cea", "version": 1, "metadata": { "timestamp": "2024-11-16T21:56:39Z", "tools": { "components": [ { "group": "@cyclonedx", "name": "cdxgen", "version": "10.10.7", "purl": "pkg:npm/%40cyclonedx/[email protected]", "type": "application", "bom-ref": "pkg:npm/@cyclonedx/[email protected]", "author": "OWASP Foundation", "publisher": "OWASP Foundation" } ] }, "authors": [ { "name": "OWASP Foundation" } ], "lifecycles": [ { "phase": "build" } ], "component": { "group": "foo", "name": "bar", "version": "1.0.0", "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ], "purl": "pkg:maven/foo/[email protected]?type=jar", "bom-ref": "pkg:maven/foo/[email protected]?type=jar", "type": "application" }, "properties": [ { "name": "cdx:bom:componentTypes", "value": "maven" }, { "name": "cdx:bom:componentNamespaces", "value": "com.google.protobuf\\ncom.mysql" } ] }, "components": [ { "group": "com.mysql", "name": "mysql-connector-j", "version": "9.0.0", "scope": "required", "purl": "pkg:maven/com.mysql/[email protected]?type=jar", "type": "library", "bom-ref": "pkg:maven/com.mysql/[email protected]?type=jar", "evidence": { "identity": { "field": "purl", "confidence": 0.5, "methods": [ { "technique": "manifest-analysis", "confidence": 0.5, "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } }, "properties": [ { "name": "cdx:maven:component_scope", "value": "compile" }, { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] }, { "group": "com.google.protobuf", "name": "protobuf-java", "version": "4.26.1", "scope": "required", "purl": "pkg:maven/com.google.protobuf/[email protected]?type=jar", "type": "library", "bom-ref": "pkg:maven/com.google.protobuf/[email protected]?type=jar", "evidence": { "identity": { "field": "purl", "confidence": 0.5, "methods": [ { "technique": "manifest-analysis", "confidence": 0.5, "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } }, "properties": [ { "name": "cdx:maven:component_scope", "value": "compile" }, { "name": "SrcFile", "value": "/Users/yuri/dev/cdxgen-grype-issue/pom.xml" } ] } ], "dependencies": [ { "ref": "pkg:maven/foo/[email protected]?type=jar", "dependsOn": [ "pkg:maven/com.mysql/[email protected]?type=jar" ] }, { "ref": "pkg:maven/com.mysql/[email protected]?type=jar", "dependsOn": [ "pkg:maven/com.google.protobuf/[email protected]?type=jar" ] }, { "ref": "pkg:maven/com.google.protobuf/[email protected]?type=jar", "dependsOn": [] } ] }The text was updated successfully, but these errors were encountered: