Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CycloneDX ingestion segfault #199

Closed
lumjjb opened this issue Nov 3, 2022 · 4 comments
Closed

[BUG] CycloneDX ingestion segfault #199

lumjjb opened this issue Nov 3, 2022 · 4 comments
Labels
bug Something isn't working data-quality Things related to data quality and document ingestion

Comments

@lumjjb
Copy link
Contributor

lumjjb commented Nov 3, 2022

More details:

#169 (comment) (opened by @electricgull)
@lumjjb lumjjb added the data-quality Things related to data quality and document ingestion label Nov 3, 2022
@lumjjb
Copy link
Contributor Author

lumjjb commented Nov 3, 2022

FYI: @nadgowdas

@lumjjb lumjjb added the bug Something isn't working label Nov 3, 2022
@nadgowdas
Copy link
Contributor

This is an interesting case. For SBOMs we are expecting expecting the identify root component (which is typically an image) and is captured in an SBOM (atleast the ones that are produced by syft).
The SBOM in this case, seem to have been generated from package.json (@electricgull can you share how this SBOM was generated ?) and does not capture root component in the metadata.

Current SBOM: https://github.com/JupiterOne/graph-github/blob/guac-bom-test-cg/reports/bom.json#L6-L11
Syft Image SBOM: https://github.com/guacsec/guac/blob/main/internal/testing/processor/testdata/alpine-cyclonedx.json#L6-L20

We need to support all these SBOMs variations. In this case, the question is what should be the root component ?

We can add SBOM file with its sha as the root element. Thought ? @lumjjb @pxp928

@electricgull
Copy link

We are using this docker container created from here:
https://github.com/JupiterOne/node-cdx-bom

https://github.com/JupiterOne/node-cdx-bom/blob/main/Dockerfile
https://github.com/JupiterOne/node-cdx-bom/blob/main/bin/node-cdx-bom

@lumjjb
Copy link
Contributor Author

lumjjb commented Nov 7, 2022

I think for us to create the edges, we would need the top level component. I think in this case, a missing top level "component" would probably mean that we would only create nodes for each individual component but not link it to any top level component so it doesn't exists...

@stevespringett do you have any recommendations for CDX here?

@nadgowdas nadgowdas mentioned this issue Nov 9, 2022
Merged
@lumjjb lumjjb closed this as completed Nov 14, 2022
@kurt-r2c kurt-r2c mentioned this issue May 30, 2023
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working data-quality Things related to data quality and document ingestion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lumjjb @nadgowdas @electricgull