sonatype-nexus-community/sonatype-platform-browser-extension

Platform Extension missing results on certain component parents

ajoanes98 opened this issue · 3 comments

ajoanes98 commented

Describe the bug
When testing the chrome extension, found that certain components return an error screen with the message "We were unable to find that peanut in a haystack!" instead of returning a scan results page with no violations.

To Reproduce
Steps to reproduce the behavior:
Url for component experiencing the bug: https://central.sonatype.com/artifact/org.apache.logging.log4j/log4j/3.0.0-alpha1

Expected behavior
Expected there to be a scan with no violations not an error screen

Screenshots

image

Desktop (please complete the following information):

  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version 115.0.5790.170 (Official Build) (arm64)

Additional context
Add any other context about the problem here.

madpah commented

Hey @ajoanes98 - thanks for the report.

As of a test (21-Aug-2023 09:14 UK Time), I am seeing that the component in question is returning a match state of UNKNOWN from Sonatype's data services.

I'd suggest you reach out to Sonatype officially to understand why the PURL (as in your screenshot) is coming back as unknown. If the PURL we are calculating turns out to be incorrect for some reason, we can look to provide a fix, but the PURL does look as we'd expect in this situation.

FYI @maurycupitt

maurycupitt commented

As you said in the title, this purl points to a component parent, not the actual component. There is no binary for this purl, just the pom that defines the project. Since their is no component, there is no policy or security info to report on. The following are the components in the project.

I'll take a look and see if there is a better way to handle these types.

hboutemy commented

some thougts:

  • given <packaging>pom</packaging> (= one of the key characteristics this type of case), even the snippet displayed on Maven Central is in fact wrong: Maven Central snippet block should probably better explain about the pom packaging meaning (of course out of this repository scope, but just showing that the issue is wider than just Platform Browser extension)
  • at Platform Browser Extension level: there is no vuln associated to such pom packaging, because it is not really seen by Sonatype data as a real component I suppose (then no versions history stored...).

I imagine we can just let the extension mark the component as recognized and safe.
If end user opens the details, a message like "This component has a pom packaging, which means it is a Maven parent or aggregator POM, or Maven BOM POM." should be a good start, completely ignoring versions and other tabs

  • 👍1