BUG - Root Package Parsing Failure

[jheck88]

trafficstars

AddRootPackage doesn't handle simple purls. I.e. pkg:pypi/[email protected]. This causes a failure at parsing, and doesn't seem to handle all variations from the PURL_SPEC.

This method should handle the different variations for the purl so that a root package can be captured and a bom can be successfully parsed.

https://github.com/guacsec/guac/blob/main/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go#L95

Stacktrace:

$ bin/guacone files --creds neo4j:s3cr3t ~/boms/
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0xd5d921]

goroutine 1 [running]:
github.com/guacsec/guac/pkg/ingestor/parser/cyclonedx.(*cyclonedxParser).addRootPackage(0xc0001a2000, 0xc0000c0be0)
        /home/jheck/go/src/github.com/guacsec/guac/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go:97 +0x41
github.com/guacsec/guac/pkg/ingestor/parser/cyclonedx.(*cyclonedxParser).Parse(0xc0001a2000, {0xc0000c0aa0?, 0x101f0ee?}, 0x9?)
        /home/jheck/go/src/github.com/guacsec/guac/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go:78 +0x7f
github.com/guacsec/guac/pkg/ingestor/parser.parseHelper({0x11a4f88, 0xc000491ef0}, 0xc00068e960)
        /home/jheck/go/src/github.com/guacsec/guac/pkg/ingestor/parser/parser.go:109 +0x83
github.com/guacsec/guac/pkg/ingestor/parser.(*docTreeBuilder).parse(0xc00063f838, {0x11a4f88, 0xc000491ef0}, 0xc0006d4580)
        /home/jheck/go/src/github.com/guacsec/guac/pkg/ingestor/parser/parser.go:81 +0x49
github.com/guacsec/guac/pkg/ingestor/parser.ParseDocumentTree({0x11a4f88, 0xc000491ef0}, 0xc00068e960?)
        /home/jheck/go/src/github.com/guacsec/guac/pkg/ingestor/parser/parser.go:68 +0x88
github.com/guacsec/guac/cmd/guacone/cmd.getIngestor.func1(0x203000?)
        /home/jheck/go/src/github.com/guacsec/guac/cmd/guacone/cmd/files.go:164 +0x27
github.com/guacsec/guac/cmd/guacone/cmd.glob..func1.1(0xc00068e960)
        /home/jheck/go/src/github.com/guacsec/guac/cmd/guacone/cmd/files.go:108 +0x14f
github.com/guacsec/guac/pkg/handler/collector.Collect({0x11a4f88?, 0xc000491ef0}, 0xc00063fc58, 0xc00063fbe8)
        /home/jheck/go/src/github.com/guacsec/guac/pkg/handler/collector/collector.go:84 +0x2d1
github.com/guacsec/guac/cmd/guacone/cmd.glob..func1(0x18c69c0?, {0xc000491e90, 0x1, 0x3})
        /home/jheck/go/src/github.com/guacsec/guac/cmd/guacone/cmd/files.go:132 +0x595
github.com/spf13/cobra.(*Command).execute(0x18c69c0, {0xc000491e00, 0x3, 0x3})
        /home/jheck/go/pkg/mod/github.com/spf13/[email protected]/command.go:920 +0x847
github.com/spf13/cobra.(*Command).ExecuteC(0x18c6ca0)
        /home/jheck/go/pkg/mod/github.com/spf13/[email protected]/command.go:1040 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
        /home/jheck/go/pkg/mod/github.com/spf13/[email protected]/command.go:968
github.com/guacsec/guac/cmd/guacone/cmd.Execute()
        /home/jheck/go/src/github.com/guacsec/guac/cmd/guacone/cmd/root.go:35 +0x25
main.main()
        /home/jheck/go/src/github.com/guacsec/guac/cmd/guacone/main.go:23 +0x17

[lumjjb]

ah yes - that was a heuristic to handle the syft tool doing this for containers. Let's take a look at this. Thanks for flagging, a lot of the SBOMs we see come with some variation so it will take a bit of work to make sure we can get it all ingested properly!

Labeling for bug

FYI: @nadgowdas

[lumjjb]

@jheck88 this should be fixed now, can you test and see if it works?

[jheck88]

@lumjjb looks like it's fixed! Thank you very much! Will be a fun tool to leverage in hoppr!

[lumjjb]

🎉 closing the issue!