cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

False Validation of Syft/Grype SBOM

Open pkiesslingsonatype opened this issue 2 years ago • 5 comments

I created an SBOM using Syft/Grype and it should have created a valid CycloneDX 1.4 SBOM. The SBOM did not adhere to the CycloneDX 1.4 schema, however the CycloneDX CLI validated it successfully regardless.

To reproduce:

https://github.com/anchore/syft https://github.com/anchore/grype

syft nodered/node-red -o cyclonedx-xml --file bom.xml grype sbom:bom.xml -o cyclonedx --file grype-bom.xml cyclonedx validate --input-file grype-bom.xml

Result: Validated successfully Expected result: Not valid

pkiesslingsonatype avatar Sep 12 '23 07:09 pkiesslingsonatype

@pkiesslingsonatype Can you please specify how it violates the schema? Maybe I missed the obvious... but it is a bit hard with a 19k lines document. (By now it produced a version 1.5 schema, but I'm not sure whether this matters.) As a side note, all that the cli does at the moment is to validate the xml schema.

andreas-hilti avatar Oct 12 '23 23:10 andreas-hilti

Related local issue here: https://github.com/CycloneDX/cyclonedx-cli/issues/344 Related syft issue where we did the investigation: https://github.com/anchore/syft/issues/2268

For the images supplied we found that the schema should be updated with the latest SPDX license list.

spiffcs avatar Oct 30 '23 23:10 spiffcs

@andreas-hilti It seems the URLs within the SBOM do not comply with the schema:

xmllint --noout --schema ~/Downloads/bom-1.4.xsd grype-bom.xml
grype-bom.xml:3612: element url: Schemas validity error : Element '{[http://cyclonedx.org/schema/bom/1.4}url](http://cyclonedx.org/schema/bom/1.4%7Durl)': '[email protected]:colorjs/color-name.git' is not a valid value of the atomic type 'xs:anyURI'.
grype-bom.xml:5946: element url: Schemas validity error : Element '{[http://cyclonedx.org/schema/bom/1.4}url](http://cyclonedx.org/schema/bom/1.4%7Durl)': '[email protected]:follow-redirects/follow-redirects.git' is not a valid value of the atomic type 'xs:anyURI'.
grype-bom.xml:8857: element url: Schemas validity error : Element '{[http://cyclonedx.org/schema/bom/1.4}url](http://cyclonedx.org/schema/bom/1.4%7Durl)': '[email protected]:jprichardson/node-jsonfile.git' is not a valid value of the atomic type 'xs:anyURI'.
grype-bom.xml:14669: element url: Schemas validity error : Element '{[http://cyclonedx.org/schema/bom/1.4}url](http://cyclonedx.org/schema/bom/1.4%7Durl)': '[email protected]:lupomontero/psl.git' is not a valid value of the atomic type 'xs:anyURI'.
grype-bom.xml fails to validate

I have attached the SBOM that is causing the issue. Hopefully that helps. grype-bom.xml.zip

pkiesslingsonatype avatar Oct 31 '23 10:10 pkiesslingsonatype

Oh! Thanks for the extra info @pkiesslingsonatype - I can probably get a fix in grype that updates those URL to be correct

spiffcs avatar Oct 31 '23 14:10 spiffcs

@pkiesslingsonatype When I produced the SBOM myself, it contained none of these "[email protected]" urls.

andreas-hilti avatar Nov 01 '23 20:11 andreas-hilti