fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path#8346
Conversation
| for i, app := range bom.Applications { | ||
| if slices.Contains(ftypes.AggregatingTypes, app.Type) && app.FilePath == "" { | ||
| if app.FilePath == "" { | ||
| bom.Applications[i].FilePath = input.FilePath |
There was a problem hiding this comment.
I didn't add the type prefix (as we discussed in #7556 (reply in thread)) because name is not a unique field (for CycloneDX and SPDX), so we can use the same name for multiple components.
| Trivy can search for Software Bill of Materials (SBOMs) among container image files and scan for vulnerabilities for components in these files. | ||
|
|
||
| !!!note | ||
| There are cases where Trivy can't detect the file path for Applications from third-party SBOM files. |
There was a problem hiding this comment.
Applications is a kind of internal term as it is capitalized. We should explain this note without the context we maintainers have. We can reference the definition of applications.
There was a problem hiding this comment.
We can use something like There are cases where Trivy can't detect the file path of software components from third-party SBOM files.
wdyt?
There was a problem hiding this comment.
There are two cases:
- Cannot detect the file path of application paths having library components (e.g., Go binary)
- Cannot detect the file path of library components (e.g., .gemspec)
Am I correct? Do you think "software components" describe that enough?
For these, Trivy uses the SBOM file path as the Application file path
We also need to rephrase this sentence.
There was a problem hiding this comment.
I realized that it is better to write documents in the morning 😄
I updated the docs - 7dc1ca2
I think this should be clear to all users now.
…'t detect its path (#8346) Co-authored-by: knqyf263 <knqyf263@gmail.com>
…'t detect its path (#8346) Co-authored-by: knqyf263 <knqyf263@gmail.com>
…'t detect its path (#8346) Co-authored-by: knqyf263 <knqyf263@gmail.com>
2 participants
Description
There are cases when we can't determine the FilePath of the application from the SBOM file (see #7556 (comment)).
So we need to add the FilePath of the SBOM file as the Application FilePath to avoid an empty Target (and an empty
namefield for the SBOM component, which makes the SBOM file invalid))example:
➜ cat sbom-without-app-component.spdx.json { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "launcher", "documentNamespace": "https://anchore.com/syft/file/launcher-268e7779-ba66-4422-a5b0-d4d83f7b5d8c", "creationInfo": { "licenseListVersion": "3.25", "creators": [ "Organization: Anchore, Inc", "Tool: syft-1.13.0" ], "created": "2024-09-25T21:11:50Z" }, "packages": [ { "name": "co.elastic.apm:apm-agent", "SPDXID": "SPDXRef-Package-f0db45781e6813a1", "versionInfo": "1.36.0", "supplier": "NOASSERTION", "downloadLocation": "NONE", "licenseConcluded": "NONE", "licenseDeclared": "NONE", "copyrightText": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE_MANAGER", "referenceType": "purl", "referenceLocator": "pkg:maven/co.elastic.apm/apm-agent@1.36.0" } ], "filesAnalyzed": false }, { "name": "github.com/buildpacks/lifecycle", "SPDXID": "SPDXRef-Package-go-module-github.com-buildpacks-lifecycle-89c3bd8d4c2e75b7", "versionInfo": "v0.20.2", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: /launcher", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [ { "referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:buildpacks:lifecycle:v0.20.2:*:*:*:*:*:*:*" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/buildpacks/lifecycle@v0.20.2" } ] }, { "name": "launcher", "SPDXID": "SPDXRef-DocumentRoot-File-launcher", "versionInfo": "sha256:716665ae98fb4b4675d5184f80884547597d47be1395d1049dc9e16035f32cc1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checksumValue": "716665ae98fb4b4675d5184f80884547597d47be1395d1049dc9e16035f32cc1" } ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE" } ], "files": [ { "fileName": "/launcher", "SPDXID": "SPDXRef-File-launcher-361242815a383bec", "checksums": [ { "algorithm": "SHA1", "checksumValue": "0000000000000000000000000000000000000000" } ], "licenseConcluded": "NOASSERTION", "licenseInfoInFiles": [ "NOASSERTION" ], "copyrightText": "" } ], "relationships": [ { "spdxElementId": "SPDXRef-Package-go-module-github.com-buildpacks-lifecycle-89c3bd8d4c2e75b7", "relatedSpdxElement": "SPDXRef-File-launcher-361242815a383bec", "relationshipType": "OTHER", "comment": "evident-by: indicates the package's existence is evident by the given file" }, { "spdxElementId": "SPDXRef-DocumentRoot-File-launcher", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-buildpacks-lifecycle-89c3bd8d4c2e75b7", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-launcher", "relationshipType": "DESCRIBES" } ]before:
after:
Related issues
Targetfor some SBOM files in image #8189Checklist