grype icon indicating copy to clipboard operation
grype copied to clipboard
verified publisher icon anchore

Grype doesn't match u-boot in SBOM if type is set to firmware

Open SebastianKonplan opened this issue 9 months ago • 3 comments

What happened: If a SBOM is passed with the component u-boot there is no match if the component type is set to firmware. If I change the type to application then the component is matched as expected.

What you expected to happen: Match independent from the type.

How to reproduce it (as minimally and precisely as [possible): grype sbom:u-boot.json

Environment:

  • Output of grype version: Application: grype Version: 0.89.1 BuildDate: 2025-03-13T20:22:27Z GitCommit: 718ea3060267edcae7b10a9bf16c0acdad10820a GitDescription: v0.89.1 Platform: linux/amd64 GoVersion: go1.24.1 Compiler: gc Syft Version: v1.20.0 Supported DB Schema: 6

  • OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.5 LTS

SebastianKonplan avatar Mar 18 '25 08:03 SebastianKonplan

u-boot.json

SebastianKonplan avatar Mar 18 '25 08:03 SebastianKonplan

Hey @SebastianKonplan, you are right, we currently are not importing firmware component types, e.g.

    {
      "bom-ref": "BomRef.7796056807905384.7566279929523666",
       ...
      "type": "firmware",
    }

You can see the decoding function here. We could probably make this more lenient to include firmware, I've added this to our weekly livestream to discuss.

kzantow avatar Mar 31 '25 15:03 kzantow

It looks like we should just need to add firmware, this is ready for anyone to work on; see the link above for the section of code that needs a change and please add a test if someone is able to get to this before us.

kzantow avatar Apr 10 '25 19:04 kzantow