osv-scanner
osv-scanner copied to clipboard
google
Better error output for malformed inputs.
I've created a CycloneDX SBOM JSON file using syft in the file system detection mode.
I then passed it to osv-scanner 1.0.1 and got the following error message:
# osv-scanner --sbom sbom.cyclonedx.json
Scanned CycloneDX SBOM
scan failed server response error: {"code":3,"message":"Invalid Package URL."}
Can you please make this error more detailed so it's clearer which Package URL is invalid?
(I think I know what the reason is; syft created 59 sections looking like this:
"externalReferences": [
{
"url": "",
"hashes": [
{
"alg": "SHA-1",
"content": "SOMESHA1"
}
],
"type": "build-meta"
}
],
and one like this:
"bom-ref": "77d4884a4c0c2f96",
"type": "library",
"name": "",
"cpe": "cpe:2.3:a:python-:python-:*:*:*:*:*:*:*:*",
"purl": "pkg:pypi/",
"properties": [
...
when I deleted these, osv-scanner didn't report this error any longer.) (I'll file a bug report for syft next.)
This issue has not had any activity for 60 days and will be automatically closed in two weeks
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has not had any activity for 60 days and will be automatically closed in two weeks
See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.