Comments (8)
I haven't been able to reproduce this in a general case:
❯ syft -o spdx-json solr:latest > /tmp/solr.latest.spdx.json
...
❯ grype -q solr:latest | wc -l
96
❯ grype -q /tmp/solr.latest.spdx.json| wc -l
96
(I just picked Solr as a random public image that has a fair number of JARs in it.)
I think the org.json
is the group ID of the Java package, but I'm not sure why it would be in the way here. I'll try to investigate some more later this week.
from grype.
This sounds like a good generic add to grype specifically. Where the details are:
- if the package type is Java (TBD on if that info is available from the tooling that generated the SBOM example from this issue)
- and the
Name
is exactly two fields delimited by:
- Then pack in this information into the java metadata
ArtifactID
andGroupID
to allow for matching to behave effectively
Developer note: this should be done fairly early in processing (during the package provider processing) such that CPE generation will take these values into consideration.
from grype.
Hi @nishakm, I ran Syft on both of these SBOMs for a quick test to see what was going on:
tgerla@Timothys-MacBook-Pro-2 syft-2525 % syft package_json.spdx.json
✔ Indexed file system
✔ Cataloged contents
└── ✔ Packages [1 packages]
NAME VERSION TYPE
org.json:json 20220924
tgerla@Timothys-MacBook-Pro-2 syft-2525 % syft component_json.cdx.json
✔ Indexed file system
✔ Cataloged contents
└── ✔ Packages [1 packages]
NAME VERSION TYPE
json 20220924 java-archive
It looks like the SPDX version has the package name as org.json:json
but the CycloneDX document is just json
, which is what Grype is matching.
My apologies but I'm not too familiar with the ecosystems here. Do you know how the org.json:
part gets added to the package name? If that is standard syntax it might be the case that we need to parse it out, but I will have to check with the rest of the team to be sure.
from grype.
@tgerla The org.json
is the groupID which for CycloneDX is a separate property. One thing to note is that the SBOMs were not generated by Syft but by the SPDX and CycloneDX maven plugins. So I am guessing the issue may be with the way Grype converts the SPDX information into Syft's internal data model. I haven't been able to find the relevant code though.
from grype.
@willmurphyscode For SPDX, I used the maven plugin which can either print out the project name or groupID:artifactID
as the SPDX name. SPDX doesn't have a group
property like CycloneDX.
from grype.
cc: @goneall @kzantow You may be interested in the CycloneDX group
to SPDX name
compatibility.
from grype.
Potentially related: #1701
from grype.
Moved this to ready based on the implementation details suggested by @wagoodman
from grype.
Related Issues (20)
- False positive: GHSA-9w8r-397f-prfh (CVE-2021-20270), GHSA-pq64-v7f5-gqh8 (CVE-2021-27291) in SLES 15.5
- Inconsistent naming of matchDetails.searchedBy.package field HOT 1
- Latest database cannot be downloaded via grype db update HOT 2
- Template models use go structs instead of JSON shape HOT 1
- Grype should respect `--source-name` and `--source-version` as Syft does
- grype db import fails HOT 2
- Grype failed to load vulnerability database: database metadata not found HOT 3
- @jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 HOT 2
- List only vulnerabilities from a level and above HOT 1
- False positive: GHSA-ggxm-pgc9-g7fp (CVE-2021-31799) in SLES 15.5
- False positive: GHSA-q2q7-5pp4-w6pg (CVE-2021-33503) in SLES 15.5
- False positive: GHSA-h4m5-qpfp-3mpv (CVE-2021-42771) in SLES 15.5 HOT 4
- False positive: GHSA-8gq9-2x98-w8hf (CVE-2022-1941) in SLES 15.5
- vex: Add package name to VEX product identifiers HOT 1
- False positive: GHSA-h4m5-qpfp-3mpv (CVE-2021-42771) in SLES 15.5
- False positive: GHSA-43fp-rhv2-5gv8 (CVE-2022-23491) in SLES 15.5 Ecosystem
- grype db diff consumes lots of memory
- FP CVE-2024-20932 on jdk8 HOT 2
- Add `--from` flag
- Deduplicate vulnerabilities for SUSE linux
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.