Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cyclonedx external reference URLs are not validated when encoding #2079

Closed
wagoodman opened this issue Aug 30, 2023 · 2 comments · Fixed by #2091
Closed

Cyclonedx external reference URLs are not validated when encoding #2079

wagoodman opened this issue Aug 30, 2023 · 2 comments · Fixed by #2091
Assignees
@hainenber
Labels
bug Something isn't working format:cyclonedx CycloneDX related enhancement or bug good-first-issue Good for newcomers

Comments

@wagoodman
Copy link
Contributor

What happened:
When analyzing docker.io/anchore/test_images:grype-quality-node-d89207b@sha256:f56164678054e5eb59ab838367373a49df723b324617b1ba6de775749d7f91d4 and outputing to cyclonedx I'm seeing values that are not valid URLs in the externalReferences section:

# cat node-87.1.cxd.json| jq '.components[].externalReferences'
...
[
  {
    "url": "jsdom/webidl-conversions",
    "type": "distribution"
  }
]
[
  {
    "url": "jsdom/whatwg-url",
    "type": "distribution"
  }
]
[
  {
    "url": "git://github.com/isaacs/node-which.git",
    "type": "distribution"
  }
]
[
  {
    "url": "git://github.com/isaacs/node-which.git",
    "type": "distribution"
  }
]
...

Which results in invalid cyclonedx relative to the validator:

cyclonedx validate --input-file ./node-87.1.cxd.json  --input-version v1_4

Validating JSON BOM...
Validation failed: Value does not match format "iri-reference"
#/properties/components/items/$ref/properties/externalReferences/items/$ref/properties/url/format
BOM is not valid.

What you expected to happen:

URLs encoded should be compliant relative to where they were parsed, so for node cataloging https://github.com/jsdom/webidl-conversions/blob/master/package.json#L15 will result in a repository value of jsdom/webidl-conversions. For node, this should be interpreted as github.com/jsdom/webidl-conversions, for other package types these assumptions might not be valid or have different assumptions that can be made about the URL.

Ultimately

syft/syft/formats/common/cyclonedxhelpers/external_references.go

Line 15 in cfebae2

func encodeExternalReferences(p pkg.Package) *[]cyclonedx.ExternalReference {
the cyclonedx external reference encoder will need to take this into consideration.

Environment:
Syft version v0.87.1
@wagoodman wagoodman added bug Something isn't working format:cyclonedx CycloneDX related enhancement or bug good-first-issue Good for newcomers labels Aug 30, 2023
@hainenber
Copy link
Contributor

hi, I'd like to work on this issue. Can you help assigning it to me? Thanks!

@hainenber
Copy link
Contributor

@wagoodman so it turns out the extracted metadata comes from embedded /usr/local/packages/npm/node_modules directory in the image and hence I don't see anyway to extrapolate the module's repository URL.

IMO, we can try validating extracted metadata before encoding as external_references, which would make the validation going through. I've made a PR at #2091. Let me know if you have any concern for this approach. Thanks!

@hainenber hainenber mentioned this issue Sep 4, 2023
Merged
1 task
@kzantow kzantow added this to OSS Sep 5, 2023
@kzantow kzantow moved this to In Review in OSS Sep 5, 2023
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Sep 5, 2023
@chenrui333 chenrui333 mentioned this issue Sep 11, 2023
Merged
This was referenced Sep 12, 2023
Closed
Closed
Open
Open
This was referenced Sep 21, 2023
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hainenber hainenber

Labels
bug Something isn't working format:cyclonedx CycloneDX related enhancement or bug good-first-issue Good for newcomers
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cdx): validate external refs before encoding hainenber/syft
2 participants
@wagoodman @hainenber