guac
guac copied to clipboard
guacsec
[ingestion/data-quality issue] CycloneDX Ingestion Failing
I am running the docker compose and I followed all the steps from https://docs.guac.sh/setup/ and getting an error importing data
charmalloc@Joes-MacBook-Pro guac % ./bin/guacone collect files ~/dev/elixir/course/live_view_studio/bom.xml {"level":"info","ts":1692219911.340304,"caller":"cli/init.go:53","msg":"Using config file: /Users/charmalloc/dev/guac/guac.yaml"} file:////Users/charmalloc/dev/elixir/course/live_view_studio/bom.xml {"level":"info","ts":1692219911.341332,"caller":"cmd/files.go:198","msg":"collector ended gracefully"} {"level":"fatal","ts":1692219911.3435972,"caller":"cmd/files.go:211","msg":"unable to process doc: invalid document format type: XML, format: XML, document: CycloneDX","stacktrace":"github.com/guacsec/guac/cmd/guacone/cmd.glob..func5\n\t/Users/charmalloc/dev/guac/cmd/guacone/cmd/files.go:211\ngithub.com/spf13/cobra.(*Command).execute\n\t/Users/charmalloc/go/pkg/mod/github.com/spf13/[email protected]/command.go:944\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/Users/charmalloc/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068\ngithub.com/spf13/cobra.(*Command).Execute\n\t/Users/charmalloc/go/pkg/mod/github.com/spf13/[email protected]/command.go:992\ngithub.com/guacsec/guac/cmd/guacone/cmd.Execute\n\t/Users/charmalloc/dev/guac/cmd/guacone/cmd/root.go:56\nmain.main\n\t/Users/charmalloc/dev/guac/cmd/guacone/main.go:23\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:267"}
Here is the sbom https://gist.github.com/joestein/6d560be1171ad33e9e07b89eddb38669
This is an Elixir SBOM using the CycloneDX format to ingest https://hexdocs.pm/sbom/readme.html
I have a PR that fixes the main issue but it will still fail due to: #976. There is an issue with SBOMs generally where as a bare minimum they don't require a lot of info, so in the case of your SBOM there's no information in the metadata to tell us what the SBOM refers to so we can't actually do anything with it. Technically it's a valid SBOM, but it's an SBOM that we can't infer what it's an SBOM for.
Looking through the parameters to mix sbom.cyclonedx I don't see an option to include the top level component.
{"level":"fatal","ts":1692227764.851379,"caller":"cmd/files.go:211","msg":"unable to ingest doc tree: guac currently does not support CycloneDX component field in metadata or the BOM ref being nil. See issue #976 for more details","stacktrace":"github.com/guacsec/guac/cmd/guacone/cmd.glob..func5\n\t/Users/mlieberman/Projects/guac/cmd/guacone/cmd/files.go:211\ngithub.com/spf13/cobra.(*Command).execute\n\t/Users/mlieberman/go/pkg/mod/github.com/spf13/[email protected]/command.go:944\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/Users/mlieberman/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068\ngithub.com/spf13/cobra.(*Command).Execute\n\t/Users/mlieberman/go/pkg/mod/github.com/spf13/[email protected]/command.go:992\ngithub.com/guacsec/guac/cmd/guacone/cmd.Execute\n\t/Users/mlieberman/Projects/guac/cmd/guacone/cmd/root.go:56\nmain.main\n\t/Users/mlieberman/Projects/guac/cmd/guacone/main.go:23\nruntime.main\n\t/nix/store/kiqbin2zi2d2m41papc3s12q04agsic0-go-1.19.11/share/go/src/runtime/proc.go:250"}