syft
syft copied to clipboard
anchore
Not all the packages are getting imported in Blackduck scanner
What happened: I am trying to generate SBOM for my RHEL 7 custom image which is built using image builder. And I am executing the below command
#syft /root/isomount/input/liveimg.tar.gz --select-catalogers "+sbom-cataloger" -o spdx-json=sbom.050524.json
Please correct me if the command and its parameters provided are wrong. What you expected to happen: While importing the SBOM generated using the above command out of 650 components only 58 are imported.
Error: openssl1.1.1kpkg:generic/[email protected] | | Component Not FoundUnable to map scanned component version to Black Duck project version because no mapping is present for the given external identifier
Steps to reproduce the issue: 1)Generated an RHEL 8 image using the imaged builder. 2)Download the image from the image builder and generate the SBOM. #syft /root/isomount/input/liveimg.tar.gz --select-catalogers "+sbom-cataloger" -o spdx-json=sbom.050524.json 3)Import the SBOM in the Blackduck scanner.
Anything else we need to know?: I have attached the scan logs,
Environment: x86_64
- Output of
syft version: syft 1.1.1 - OS (e.g:
cat /etc/os-releaseor similar): RHEL 8.8
Hi @Naranthiran, thanks for the report. Can you attach a copy of sbom.050524.json to this issue? It looks like there are a bunch of errors related to symlinks in the scan output. It would be helpful if we could also see the contents of the tar file. Could we have access to the tar file itself? If not, a complete file listing from the tar archive would be a good start. Thanks!
Hi Tim,
I have attached the SBOM. The tar file is a filesystem which was created using the image builder tool.
If you have subscribed, you can generate the tar file from the RedHat console.
I will not be able to upload as the files size in huge..
Regards Naranthiran Duraisamy
Hi @Naranthiran, I checked out the SBOM and I see over 600 entries, about what I would expect. Running Grype against it reports a bunch of possible vulnerabilities. Can you explain in more detail the problem on the Syft side here? I am not familiar with Blackduck's scanning software and you might need to contact them for information about their tool. Thanks!
Hi Tim,
Thanks for your response. While importing the SBOM in the Blackduck I found only 58 components out of 650. I wanted to check with you, if the way I create the SBOM with its parameters is correct or if I am missing something.
From the BlackDuck side, I understand that the package name and referenceLocator files were not matching.
Regards Naranthiran Duraisamy
Hi Naranthiran, as far as I can tell, your method of calling Syft is fine, and I don't see anything out of the ordinary in the generated SBOM. It does look like Blackduck is expecting something different. It might be some sort of incompatibility between the tools but we would be happy to look. Would you be able to contact Blackduck and open a support ticket there? We would be happy to explore the problem. Thanks,
Tim
Hi Tim,
Since BlackDuck team does not have a separate to analyze the SBOM I was not able to give you an update.
But I have one more query regarding the SBOM generated using the syft tool.
I am using the below command to generate the SBOM. I have also attached the SBOM for your reference.
#syft dir:/home/RHEL7WORK/ -o spdx-json=071724minimalos.spdx.json
We have not able to get the supplier information in the SBOM generated. We are using SBOM editor for reviewing the SBOM.
Can you check SBOM and confirm what could be the issue with supplier information or it's available in SBOM and not visible only in the SBOM editor. And are there any tools to check the supplier information?
Regards Naranthiran Duraisamy