Comments (6)
Thanks @haiazuki for the report! We will take a look. This issue is possibly related to: #2353 and #2305
from syft.
Dev notes: there are some format limitations in CycloneDX that prevent us from representing every relationship that we handle in other formats like SPDX, so there will always be some functionality differences between the various formats. We could probably encode CONTAINS and DEPENDS-ON relationships in CycloneDX, though. The challenge encoding the CONTAINS relationship is that it requires nesting components in CycloneDX which we aren't currently doing--it wouldn't be expressible in the dependency relationships.
@haiazuki, if you are able, can you share a bit more about your use case and needs here? Are you looking for a source code dependency tree or something similar? More details might be helpful for us to look into this. Thanks!
from syft.
Hi @tgerla ,
I checked the specifications of SPDX compare with CycloneDX so I understand what you are saying. From a CycloneDX perspective, it tracks dependency relationships so DEPENDS-ON seem to be the priority.
In the product I am testing with, I have an installer in a jar package that I used as the target source to generate the sbom. This contains other jar files and also a war file that contains other jar file packages. So I was looking for entries that reflect the relationship of these packages similar to what is in default json and spdx json.
Thank you!
from syft.
I see syft producing usable Cyclonedx dependency information for image scans except from the tiny detail described here: DependencyTrack/dependency-track#3314
I have tried manually adding the missing dependency between the root object and some random set of modules and then DT can show a dependency tree for that part. It seems DT doesn't even try to build a dependency tree when the root dependency is missing. Probably because it doesn't know where to start.
Is there a good reason this has not been fixed already (or why the issue has ever arisen)?
from syft.
Shouldn't this need to be included in milestone "Meet NTIA Minimum SBOM Requirements" as relationships are part of the minimum elements in NTIA?
from syft.
👋 I think it would be useful for this issue if we could posting specific examples of where dependencies should exist in cyclone-dx and they are not showing up. Syft currently uses the dependencies
field of cyclone dx to represent depends-on
as found by spdx.
Are there other sections we should be putting non dependency relationship information?
In the SBOM you are generating what data is not showing up in the cyclonedx dependencies
section that you expect to show up?
A good example of the format I'm looking for to help the discussion is something like this:
I am using syft v1.6.0 to scan `alpine:latest`
Here are the commands I'm running:
syft -o spdx-json alpine:latest | jq . > spdx.json
syft -o cyclonedx-json alpine:latest | jq . > cdx.json
In spdx.json
I see:
{
"spdxElementId": "SPDXRef-Package-apk-musl-03e521237cbed45a",
"relatedSpdxElement": "SPDXRef-File-lib-ld-musl-aarch64.so.1-15ac5a87021c605c",
"relationshipType": "CONTAINS"
},
These contains
relationships are not shown in cyclone-dx.
All I see in cyclone-dx are the depends on relationships - here is an example:
{
"ref": "pkg:apk/alpine/[email protected]?arch=aarch64&upstream=openssl&distro=alpine-3.20.0&package-id=0cfcda1a242dfd13",
"dependsOn": [
"pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.0&package-id=03e521237cbed45a"
]
},
from syft.
Related Issues (20)
- Syft incorrectly identifying jruby jar files HOT 1
- Parameter confirmation of docker _registry scanning HOT 1
- install.sh: check checksums file's signature HOT 2
- Reverse conversion of metadata mode is broken HOT 4
- syft does not find anything in archives if /tmp is a tmpfs HOT 1
- Support cataloging dlopen ELF metadata
- Syft Directory Source: Git Tag and Metadata Information
- syft outputs incorrect license LicenseRef-AND HOT 1
- Detect fluent-bit binaries
- Binary detection workflow enhancements
- SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working HOT 2
- syft-table option adds escape chars at the end of each row HOT 2
- python cataloger: adding a support additionally to classify licenses by `License-File` field in metadata file HOT 1
- Add additional image tags to source metadata
- Very High Memory Usage Using Syft HOT 1
- Poetry's multiple constraints seems to break the parser
- Add ability to use distributed ruleset HOT 1
- Show dependencies for Github Actions
- Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger HOT 4
- The ability to extract the contents of the license file (LICENSE.txt) itself HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.