diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index eac9877f42..49fd39ced1 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -540,6 +540,12 @@ Scanned /fixtures/locks-insecure/composer.lock file and found 1 package [TestRun/folder_of_supported_sbom_with_vulns - 1] Scanning dir ./fixtures/sbom-insecure/ Scanned /fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 14 packages +Scanned /fixtures/sbom-insecure/bad-purls.cdx.xml as CycloneDX SBOM and found 8 packages +Ignored 6 packages with invalid PURLs +Ignored invalid PURL "/" +Ignored invalid PURL "pkg:///" +Ignored invalid PURL "pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2" +Ignored invalid PURL "pkg:pypi/" Scanned /fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | @@ -688,6 +694,21 @@ No issues found --- +[TestRun/one_specific_supported_sbom_with_invalid_PURLs - 1] +Scanned /fixtures/sbom-insecure/bad-purls.cdx.xml as CycloneDX SBOM and found 8 packages +Ignored 6 packages with invalid PURLs +Ignored invalid PURL "/" +Ignored invalid PURL "pkg:///" +Ignored invalid PURL "pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2" +Ignored invalid PURL "pkg:pypi/" +No issues found + +--- + +[TestRun/one_specific_supported_sbom_with_invalid_PURLs - 2] + +--- + [TestRun/one_specific_supported_sbom_with_vulns - 1] Scanned /fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 14 packages +--------------------------------+------+-----------+---------+-----------+---------------------------------------+ diff --git a/cmd/osv-scanner/fixtures/sbom-insecure/bad-purls.cdx.xml b/cmd/osv-scanner/fixtures/sbom-insecure/bad-purls.cdx.xml new file mode 100644 index 0000000000..34b787735f --- /dev/null +++ b/cmd/osv-scanner/fixtures/sbom-insecure/bad-purls.cdx.xml @@ -0,0 +1,572 @@ + + + + 2023-03-02T12:04:22+11:00 + + + anchore + syft + 0.73.0 + + + + alpine:latest + sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 + + + + + Natanael Copa <ncopa@alpinelinux.org> + + 3.4.0-r0 + Alpine base dir structure and init scripts + + + GPL-2.0-only + + + cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 + + + https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 + 331776 + alpine-baselayout + Q1/eXfmbYT1WXenFSqKjroYyK84NE= + alpine-baselayout-data=3.4.0-r0 + /bin/sh + 8890 + + + + Natanael Copa <ncopa@alpinelinux.org> + alpine-baselayout-data + 3.4.0-r0 + Alpine base dir structure and init scripts + + + GPL-2.0-only + + + cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 + + + + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 + 77824 + alpine-baselayout + Q1/JgpM8J6DWI/541tUX+uHEzSjqo= + 11664 + + + + Natanael Copa <ncopa@alpinelinux.org> + alpine-keys + 2.4-r1 + Public keys for Alpine Linux packages + + + MIT + + + cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* + pkg:pypi/ + + + https://alpinelinux.org + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + aab68f8c9ab434a46710de8e12fb3206e2930a59 + 159744 + alpine-keys + Q1KM01lfKVp+gEZn23awujqjSkrN8= + 13361 + + + + Natanael Copa <ncopa@alpinelinux.org> + apk-tools + 2.12.10-r1 + Alpine Package Keeper - package manager for alpine + + + GPL-2.0-only + + + cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 + + + https://gitlab.alpinelinux.org/alpine/apk-tools + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 0188f510baadbae393472103427b9c1875117136 + 307200 + apk-tools + so:libapk.so.3.12.0=3.12.0 + cmd:apk=2.12.10-r1 + Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= + musl>=1.2 + ca-certificates-bundle + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + so:libssl.so.3 + so:libz.so.1 + 120973 + + + + busybox + 1.35.0 + cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* + + binary-cataloger + BinaryMetadata + binary + cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /bin/busybox + + + + Sören Tempel <soeren+alpine@soeren-tempel.net> + busybox-binsh + 1.36.1-r27 + busybox ash /bin/sh + + + GPL-2.0-only + + + cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + + + https://busybox.net/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 1dbf7a793afae640ea643a055b6dd4f430ac116b + 8192 + busybox + /bin/sh + cmd:sh=1.36.1-r27 + Q1miWwyhWKXVEiRYLhmArV1TKMs6A= + busybox=1.36.1-r27 + 1547 + + + + Natanael Copa <ncopa@alpinelinux.org> + ca-certificates-bundle + 20220614-r4 + Pre generated bundle of Mozilla certificates + + + MPL-2.0 + + + MIT + + + cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + pkg:pypi/ + + + https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + e1839fd45a096c9e21ac24f8a61991d357d11628 + 237568 + ca-certificates + ca-certificates-cacert=20220614-r4 + Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= + 126296 + + + + Natanael Copa <ncopa@alpinelinux.org> + libc-utils + 0.7.2-r3 + Meta package to pull in correct libc + + + BSD-2-Clause + + + BSD-3-Clause + + + cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + pkg:/// + + + https://alpinelinux.org + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 60424133be2e79bbfeff3d58147a22886f817ce2 + 4096 + libc-dev + Q19Gg06pBPiiG9UN94ql7qImsHSUQ= + musl-utils + 1485 + + + + Ariadne Conill <ariadne@dereferenced.org> + libcrypto3 + 3.0.8-r0 + Crypto library from openssl + + + Apache-2.0 + + + cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* + pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 + + + https://www.openssl.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 524302e205a5b43c2bb48d041bcb10ccf2b480f9 + 4206592 + openssl + so:libcrypto.so.3=3 + Q1lyWpurYeMlLEt60ys+OlTABmzgs= + so:libc.musl-x86_64.so.1 + 1710217 + + + + Ariadne Conill <ariadne@dereferenced.org> + libssl3 + 3.0.8-r0 + SSL shared libraries + + + Apache-2.0 + + + cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* + pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 + + + https://www.openssl.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 524302e205a5b43c2bb48d041bcb10ccf2b480f9 + 622592 + openssl + so:libssl.so.3=3 + Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + 246853 + + + + Timo Teräs <timo.teras@iki.fi> + musl + 1.2.3-r4 + the musl c library (libc) implementation + + + MIT + + + cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* + / + + + https://musl.libc.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + f93af038c3de7146121c2ea8124ba5ce29b4b058 + 634880 + musl + so:libc.musl-x86_64.so.1=1 + Q1Pk7x1woArbB1nzkMPJPq1TECwus= + 388955 + + + + Timo Teräs <timo.teras@iki.fi> + musl-utils + 1.2.3-r4 + the musl c library (libc) implementation + + + MIT + + + BSD-2-Clause + + + GPL-2.0-or-later + + + cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 + + + https://musl.libc.org/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + f93af038c3de7146121c2ea8124ba5ce29b4b058 + 135168 + musl + cmd:getconf=1.2.3-r4 + cmd:getent=1.2.3-r4 + cmd:iconv=1.2.3-r4 + cmd:ldconfig=1.2.3-r4 + cmd:ldd=1.2.3-r4 + Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= + scanelf + so:libc.musl-x86_64.so.1 + 36697 + + + + Natanael Copa <ncopa@alpinelinux.org> + scanelf + 1.3.5-r1 + Scan ELF binaries for stuff + + + GPL-2.0-only + + + cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* + pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 + + + https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + e52243dbb02069f10d48440ccc5fd41fa5fc2236 + 98304 + pax-utils + cmd:scanelf=1.3.5-r1 + Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= + so:libc.musl-x86_64.so.1 + 37687 + + + + Sören Tempel <soeren+alpine@soeren-tempel.net> + ssl_client + 1.36.1-r27 + EXternal ssl_client for busybox wget + + + GPL-2.0-only + + + cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + + + https://busybox.net/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 1dbf7a793afae640ea643a055b6dd4f430ac116b + 28672 + busybox + cmd:ssl_client=1.36.1-r27 + Q1QuqZjeP6XG85I29tOiCWofL8Cj0= + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + so:libssl.so.3 + 4929 + + + + Natanael Copa <ncopa@alpinelinux.org> + zlib + 1.2.10-r0 + A compression/decompression Library + + + Zlib + + + cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:* + pkg:pypi/ + + + https://zlib.net/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bb37266b06a72d21d1fd850ef4b86665cf9ef70f + 110592 + zlib + so:libz.so.1=1.2.13 + Q1rjnXT01l1PAxXheUxe4Oldl5rFk= + so:libc.musl-x86_64.so.1 + 54258 + + + + + 3.17.2 + Alpine Linux v3.17 + + + + + + + + + + + alpine + Alpine Linux v3.17 + 3.17.2 + + + + diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index 5a4e579854..808877c3a0 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -166,6 +166,12 @@ func TestRun(t *testing.T) { args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/sbom-insecure/alpine.cdx.xml"}, exit: 1, }, + // one specific supported sbom with vulns and invalid PURLs + { + name: "one specific supported sbom with invalid PURLs", + args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/sbom-insecure/bad-purls.cdx.xml"}, + exit: 0, + }, // one specific unsupported lockfile { name: "", diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 601acd5a9a..3a38366d30 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -10,6 +10,7 @@ import ( "os/exec" "path" "path/filepath" + "slices" "sort" "strings" @@ -461,11 +462,11 @@ func scanSBOMFile(r reporter.Reporter, path string, fromFSScan bool) ([]scannedP } defer file.Close() - ignoredCount := 0 + var ignoredPURLs []string err = provider.GetPackages(file, func(id sbom.Identifier) error { _, err := models.PURLToPackage(id.PURL) if err != nil { - ignoredCount++ + ignoredPURLs = append(ignoredPURLs, id.PURL) //nolint:nilerr return nil } @@ -499,12 +500,19 @@ func scanSBOMFile(r reporter.Reporter, path string, fromFSScan bool) ([]scannedP len(packages), output.Form(len(packages), "package", "packages"), ) - if ignoredCount > 0 { - r.Infof( + if len(ignoredPURLs) > 0 { + r.Warnf( "Ignored %d %s with invalid PURLs\n", - ignoredCount, - output.Form(ignoredCount, "package", "packages"), + len(ignoredPURLs), + output.Form(len(ignoredPURLs), "package", "packages"), ) + slices.Sort(ignoredPURLs) + for _, purl := range slices.Compact(ignoredPURLs) { + r.Warnf( + "Ignored invalid PURL \"%s\"\n", + purl, + ) + } } return packages, nil