xeol
xeol copied to clipboard
xeol-io
xeol fails if sbom.xml is missing some xml tags
What happened:
I have a sbom.xml generated by checkov library and it's missing <components> xml tag.
This command fails with such sbom.xml:
xeol --fail-on-eol-found --lookahead 1m sbom.xml -vv
[0000] INFO xeol version: 0.9.15
[0000] DEBUG config:
log:
quiet: false
level: debug
file: ""
dev:
profile: none
output: []
file: ""
distro: ""
check-for-app-update: true
platform: ""
search:
scope: Squashed
unindexed-archives: false
indexed-archives: true
db:
cache-dir: /home/dwnukowski/.cache/xeol/db
update-url: https://data.xeol.io/xeol/databases/listing.json
ca-cert: ""
auto-update: true
validate-by-hash-on-start: false
validate-age: true
max-allowed-built-age: 120h0m0s
lookahead: 1m
fail-on-eol-found: true
api-key: ""
project-name: ""
image-path: Dockerfile
commit-hash: ""
match:
packages:
using-purls: true
distro:
using-cpes: true
registry:
insecure-skip-tls-verify: false
insecure-use-http: false
auth: []
ca-cert: ""
name: ""
default-image-pull-source: ""
[0000] DEBUG no new xeol update available
[0000] DEBUG gathering packages
[0000] DEBUG Fetching organization policies
[0000] DEBUG loading DB
[0000] DEBUG looking for updates on eol database
[0000] DEBUG checking for available database updates
[0000] DEBUG found database update candidate: Listing(url=https://data.xeol.io/xeol/databases/xeol-db_v1_2024-05-10T03:51:15.748131Z.tar.gz)
[0000] DEBUG existing database is already up to date
[0000] DEBUG no database update available
1 error occurred:
* failed to catalog: unable to decode sbom: unable to identify format
even though sbom schema says it's optional, so the sbom should be valid and parsed properly: https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.4.xsd#L369
What you expected to happen: xeol not ending with decoding error when a valid sbom.xml is provided
How to reproduce it (as minimally and precisely as possible): Use command specified above on this sbom file:
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:5c6fb934-a145-4b58-b779-567374571b13"
version="1">
<metadata>
<timestamp>2024-05-10T10:03:40.878180+00:00</timestamp>
<tools>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-python-lib</name>
<version>6.4.1</version>
<externalReferences>
<reference type="build-system">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
</reference>
<reference type="distribution">
<url>https://pypi.org/project/cyclonedx-python-lib/</url>
</reference>
<reference type="documentation">
<url>https://cyclonedx-python-library.readthedocs.io/</url>
</reference>
<reference type="issue-tracker">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
</reference>
<reference type="license">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
</reference>
<reference type="release-notes">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
</reference>
<reference type="vcs">
<url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
</reference>
<reference type="website">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
</reference>
</externalReferences>
</tool>
<tool>
<vendor>bridgecrew</vendor>
<name>checkov</name>
<version>UNKNOWN</version>
<externalReferences>
<reference type="build-system">
<url>https://github.com/bridgecrewio/checkov/actions</url>
</reference>
<reference type="distribution">
<url>https://pypi.org/project/checkov/</url>
</reference>
<reference type="documentation">
<url>https://www.checkov.io/1.Welcome/What%20is%20Checkov.html</url>
</reference>
<reference type="issue-tracker">
<url>https://github.com/bridgecrewio/checkov/issues</url>
</reference>
<reference type="license">
<url>https://github.com/bridgecrewio/checkov/blob/master/LICENSE</url>
</reference>
<reference type="social">
<url>https://twitter.com/bridgecrewio</url>
</reference>
<reference type="vcs">
<url>https://github.com/bridgecrewio/checkov</url>
</reference>
<reference type="website">
<url>https://www.checkov.io/</url>
</reference>
</externalReferences>
</tool>
</tools>
</metadata>
</bom>
Anything else we need to know?: That's all I think. Environment:
- Output of
xeol version: 0.9.15 - OS (e.g:
cat /etc/os-releaseor similar): Fedora running on WSL:
cat /etc/os-release
NAME="Fedora Linux"
VERSION="39 (Container Image)"
ID=fedora
VERSION_ID=39
VERSION_CODENAME=""
PLATFORM_ID="platform:f39"
PRETTY_NAME="Fedora Linux 39 (Container Image)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:39"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=39
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=39
SUPPORT_END=2024-11-12
VARIANT="Container Image"
VARIANT_ID=container
@damian-wnukowski-worldline can you let me know if this is resolved with the latest version of xeol v0.10.0
