syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

Syft not created "dependencies" in cyclonedx report

Open Dungeon1 opened this issue 1 year ago • 5 comments

What happened: Syft not created "dependencies" in cyclonedx report for Go, Rust, Java and etc. Cargo.lock had "dependencies". View like

[[package]]
name = "yaserde"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4bf52af554a50b866aaad63d7eabd6fca298db3dfe49afd50b7ba5a33dfa0582"
dependencies = [
 "log",
 "xml-rs",
 "yaserde_derive",
]

But output syft doesnt reflect this What you expected to happen: Want full cyclonedx report with "dependencies" and "depensOn" included

Steps to reproduce the issue: syft -o [email protected] Cargo.lock > report.json

Anything else we need to know?:

Environment: Syft 0.94

Dungeon1 avatar Nov 24 '23 09:11 Dungeon1

Hi @Dungeon1, thanks for the report. I can confirm that the dependencies show up in the syft-json format output, but not the cyclonedx-json or cyclonedx-xml output. I will confirm with the team if this is expected behavior or not and get back to when we are able to look. Thanks again.

tgerla avatar Nov 27 '23 18:11 tgerla

I'm trying to understand the details. To be clear, this cargo.lock is not sufficient to show all dependencies in the SBOM:

[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
]

But this would:

[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
]

[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"

[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

Assuming that you have a cargo.lock file that looks like the last example, I think you're really asking why are there not relationships between all of the nodes in your SBOM to show how the nodes are related. If that's true, you're right, we haven't done that work yet. We have another issue to add these for all ecosystems https://github.com/anchore/syft/issues/572 . The nice thing about the rust cataloger is that, for this specific ecosystem, this looks to be low hanging fruit (ready to be implemented around here, correlating the .metadata.dependencies discovered with the names of the packages created)

wagoodman avatar Nov 30 '23 21:11 wagoodman

@wagoodman I ran on Cargo.lock like your example.

Dungeon1 avatar Dec 14 '23 13:12 Dungeon1

Cargo.lock had dependencies, but syft not building dependencies with dependsOn.

Dungeon1 avatar Dec 14 '23 13:12 Dungeon1

I was also able reproduce this. It looks like syft is detecting the dependencies (because they show up in o json), but isn't writing them down in cyclonedx-json. Moving to the backlog, thanks for the report!

willmurphyscode avatar Jan 03 '24 10:01 willmurphyscode