bomber fails when `licenses` are specified as `expression`
manolo opened this issue · 6 comments
Having a valid CycloneDX sbom file that contains a component with the licenses block specifying an expression it silently exits without showing any report.
This kind of SBOM files are generated by @cyclonedx/cyclonedx-npm
Minimum reproducible example
- Save the following file content as
test-sbom.json - Then run
bomber scan test-sbom.json - It does not
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"serialNumber": "ABC123",
"metadata": {
},
"components": [
{
"type": "library",
"name": "foo",
"version": "0.4.0",
"bom-ref": "foo-bar@0.4.0",
"licenses": [
{
"expression": "(AFL-2.1 OR BSD-3-Clause)"
}
],
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/foo-bar"
}
]
}
],
"dependencies": []
}
- Now change the
licensesblock with
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
- run the tool again and you will get a valid report
Thanks for reporting! I'm on it.
I've identified the issue and am testing, The code never checked for the Expression field being filled (in that case it should ignore the License struct because it's an OR situation with the CycloneDX spec)
Test example provided was crashing without an error (unless debug was turned on) because there is no purl specified. @manolo With a purl for the component, you'll get no results for the licenses with an expression because of this crash. Code will be adjusted to put a better error out
Thanks for taking care of this.
I have observed that adding purl does not fixes the crash, this .json does not pass either.
I guess, instead of giving an error, since those are valid CycloneDX files, it should just parse the file.
Not sure what to do with the expressions, but probably they should be listed in the 'Licenses Found:' section of the report, since they are still valid licenses in the spec and are meaningful. Probably not processing the expression which could be difficult, but showing the expression value.
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"serialNumber": "ABC123",
"metadata": {
},
"components": [
{
"type": "library",
"name": "foo",
"version": "0.4.0",
"bom-ref": "foo-bar@0.4.0",
"licenses": [
{
"expression": "(AFL-2.1 OR BSD-3-Clause)"
}
],
"purl": "pkg:npm/%40foo/foo-bar@0.4.0#foo/bar",
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/json-schema"
}
]
}
],
"dependencies": []
}BTW, if you want to experiment with a proper SBOM, not this reduced example, you can generate one in this way:
- create a basic
package.jsonfile with a couple of components
{
"name": "no-name",
"license": "UNLICENSED",
"dependencies": {
"pako": "^2.1.0",
"type-fest": "^3.5.0"
}
}
- install dependencies
npm install - generate SBOM
npx @cyclonedx/cyclonedx-npm --output-file sbom.json - run Bomber
bomber scan sbom.json
Found where the problem was... there were a few things going on. There was an issue in the STDOUT renderer where it would return if there were no packages with vulnerabilities, so when I was testing with the sample there were some strange things happening.
After untangling a bit, I made a few changes:
- fix: STDOUT provider will now print scanned file information and license information if there are no vulnerabilities detected.
- fix: CycloneDX license extraction now looks for
expressionfirst and uses it, and if it is set to "" it will use the license node if it isn't nil. - enhancement: Added error output if the Purl scheme doesn't exist or is invalid. I'm going to open a ticket to create some schema validation to ensure that any file ingested by bomber has all the fields bomber needs to process the file.
