cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard
verified publisher icon intel

bug: improved sbom filename extension handling

Open terriko opened this issue 10 months ago • 7 comments

Copying from https://github.com/intel/cve-bin-tool/pull/4820

Adding json extension for cyclonedx is mandatory otherwise if the user provides a filename without any extension, cve-bin-tool will not be able to read it back as lib4sbom will silently fail to parse it: https://github.com/anthonyharrison/lib4sbom/blob/3d52214bf0d84f61d9954fc89c4a3357fa2b8d1d/lib4sbom/cyclonedx/cyclonedx_parser.py#L37

It would have been better to use self.sbom_format but the default value is "tag" and lib4sbom will replace it to "json": https://github.com/anthonyharrison/lib4sbom/blob/3d52214bf0d84f61d9954fc89c4a3357fa2b8d1d/lib4sbom/generator.py#L43

A followup patch could also update cve-bin-tool/lib4sbom to better handle SBOM with no extensions. At the very least, a clear error message shall be displayed. Another option would be to open the file to check if this is a JSON file and then fallback on XML parsing. Indeed, Linux users are not used to set extensions to their files.

I've merged #4820 but @ffontaine is correct that more is probably needed here, so I'm filing this issue with the information.

terriko avatar Feb 18 '25 17:02 terriko

A note about the hackathon label: I've flagged a bunch of issues for folk participating in the Open Source Ecosyststems Hackathon March 3-7. Please leave these issues to hackathon participants. if they're not claimed after, say, March 10th, they're fair game to other people (including GSoC participants).

terriko avatar Feb 27 '25 20:02 terriko

Intel OSS Hackathon Team 1 will be working on this.

shanscendent avatar Mar 03 '25 01:03 shanscendent

I think at this point, @shanscendent and our hackathon team are confident we aren't going to get changes in for this one! Up for grabs for anyone else who wants to give it a go :)

stvml avatar Mar 07 '25 22:03 stvml

I'll pick it up if no one else from the hackathon is working on it. I'll wait until March 10th.

Arnavk194 avatar Mar 08 '25 06:03 Arnavk194

Hi @terriko , PR #4919 enforces CycloneDX SBOM extension checks (.json/.xml) to fix extension handling. Tests now validate error logging for invalid extensions and use existing SBOM files. Ensures compliance and robust error handling.

Saksham-Sirohi avatar Mar 09 '25 20:03 Saksham-Sirohi

Hey @terriko and @22f1001635, I saw that a PR has been submitted—really appreciate the effort you put into it!

Just a heads-up, as per the contribution guidelines, I had already mentioned that I was working on this. No worries this time, but let’s keep it in mind going forward so we don’t end up duplicating work.

Arnavk194 avatar Mar 10 '25 09:03 Arnavk194

Hey, @Arnavk194 i am really sorry for this Actually, I had these solutions nearly complete by the time the maintainer gave it the hackathon tag. I am sorry for not providing the info prior

Saksham-Sirohi avatar Mar 10 '25 09:03 Saksham-Sirohi