Grype not reporting vulns on SPDX SBOMs about grype HOT 8 OPEN

I haven't been able to reproduce this in a general case:

❯ syft -o spdx-json solr:latest > /tmp/solr.latest.spdx.json
...
❯ grype -q solr:latest | wc -l
      96

❯ grype -q /tmp/solr.latest.spdx.json| wc -l
      96

(I just picked Solr as a random public image that has a fair number of JARs in it.)

I think the org.json is the group ID of the Java package, but I'm not sure why it would be in the way here. I'll try to investigate some more later this week.

from grype.

This sounds like a good generic add to grype specifically. Where the details are:

• if the package type is Java (TBD on if that info is available from the tooling that generated the SBOM example from this issue)
• and the Name is exactly two fields delimited by :
• Then pack in this information into the java metadata ArtifactID and GroupID to allow for matching to behave effectively

Developer note: this should be done fairly early in processing (during the package provider processing) such that CPE generation will take these values into consideration.

from grype.

Hi @nishakm, I ran Syft on both of these SBOMs for a quick test to see what was going on:

tgerla@Timothys-MacBook-Pro-2 syft-2525 % syft package_json.spdx.json
 ✔ Indexed file system
 ✔ Cataloged contents
   └── ✔ Packages                        [1 packages]
NAME           VERSION   TYPE
org.json:json  20220924
tgerla@Timothys-MacBook-Pro-2 syft-2525 % syft component_json.cdx.json
 ✔ Indexed file system
 ✔ Cataloged contents
   └── ✔ Packages                        [1 packages]
NAME  VERSION   TYPE
json  20220924  java-archive

It looks like the SPDX version has the package name as org.json:json but the CycloneDX document is just json, which is what Grype is matching.

My apologies but I'm not too familiar with the ecosystems here. Do you know how the org.json: part gets added to the package name? If that is standard syntax it might be the case that we need to parse it out, but I will have to check with the rest of the team to be sure.

from grype.

@tgerla The org.json is the groupID which for CycloneDX is a separate property. One thing to note is that the SBOMs were not generated by Syft but by the SPDX and CycloneDX maven plugins. So I am guessing the issue may be with the way Grype converts the SPDX information into Syft's internal data model. I haven't been able to find the relevant code though.

from grype.

@willmurphyscode For SPDX, I used the maven plugin which can either print out the project name or groupID:artifactID as the SPDX name. SPDX doesn't have a group property like CycloneDX.

from grype.

cc: @goneall @kzantow You may be interested in the CycloneDX group to SPDX name compatibility.

from grype.

Potentially related: #1701

from grype.

Moved this to ready based on the implementation details suggested by @wagoodman

from grype.