xeol unable to decode syft-json from versions of syft newer than v0.92

Question

xeol unable to decode syft-json from versions of syft newer than v0.92

bturner-cpacket opened this issue 5 months ago · 5 comments

What happened:
When running xeol over a syft generated json sbom from a version of Syft later than v0.92 you get this error:

% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
	* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

What you expected to happen:
When running xeol over a syft generated json sbom from a version of Syft v0.92 you do not receive this error:

% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary

How to reproduce it (as minimally and precisely as possible):

install Syft version 0.92 - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . v0.92.0
check your version - ./syft --version

ubuntu@ubuntu:~$ ./syft --version
syft 0.92.0

Generate a json SBOM using Syft v0.92 -

./syft dir:/ -o json>./sbom/v0.92-syft-filesystem-image-sbom.json

Run xeol against that sbom and verify it succeeds -

% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary

install latest Syft version (currently v1.4.1) - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .
check your version of syft - ./syft --version

ubuntu@ubuntu:~$ ./syft --version
syft 1.4.1

Generate a json SBOM using Syft v1.4.1 -

./syft dir:/ -o json>./sbom/v1.4.1-syft-filesystem-image-sbom.json

Run xeol against the sbom and verify failure -

% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
	* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

Anything else we need to know?:
I generated the SBOM's I tested against using Ubuntu 22.04 .ova from https://cloud-images.ubuntu.com/jammy/current/, however, I see this error when running across all our products. I would expect that simply updating the version of Syft from v.0.92 to something newer would solve this issue however I dont know if there are dependency versions for why its been held back on v0.92.

Environment:

Output of xeol version:
OS (e.g: cat /etc/os-release or similar):

% xeol version
Application:         xeol
Version:             0.9.15
BuildDate:           2024-04-27T01:08:08Z
GitCommit:           Homebrew
GitDescription:      Homebrew
Platform:            darwin/amd64
GoVersion:           go1.22.2
Compiler:            gc
Syft Version:        v0.92.0
Supported DB Schema: 1

Answer 1 · 2024-05-29T15:27:54.000Z

Any update on this?

Answer 2 · 2024-07-01T11:56:46.000Z

it seems to occurs because of the fork this library is based on...
replace github.com/anchore/syft => github.com/noqcks/syft v0.0.0-20240109150718-1b286b681098

Answer 3 · 2024-07-01T16:20:04.000Z

That seems bad?

Why is this component dependent on go package from a fork of syft with no tags or releases instead of the official syft package?

Answer 4 · 2024-07-16T14:54:24.000Z

is this project still maintained?
it was a while since I saw a PR that was merged