-
Notifications
You must be signed in to change notification settings - Fork 363
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: warn about and ignore duplicate entries in SBOMs (#1289)
While from what I understand duplicates should not be possible in a valid SBOM, apparently they happen and it's useful for us to report + skip them. Since doing this efficiently requires use of a map we in turn have to sort the packages to ensure a consistent output order, leading to me discovering that we're not already sorting the packages - I've opened #1288 to land that change first. Resolves #330
- Loading branch information
Showing
4 changed files
with
682 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -531,6 +531,9 @@ Ignored invalid PURL "pkg:///" | |
| Ignored invalid PURL "pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2" | ||
| Ignored invalid PURL "pkg:pypi/" | ||
| Scanned <rootdir>/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages | ||
| Warning, duplicate PURL found in SBOM: pkg:apk/alpine/[email protected]?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 | ||
| Warning, duplicate PURL found in SBOM: pkg:apk/alpine/[email protected]?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 | ||
| Scanned <rootdir>/fixtures/sbom-insecure/with-duplicates.cdx.xml as CycloneDX SBOM and found 14 packages | ||
| +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | ||
| | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | | ||
| +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | ||
|
|
@@ -556,6 +559,8 @@ Scanned <rootdir>/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S | |
| | https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | ||
| | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | ||
| | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | ||
| | https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | | ||
| | https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | | ||
| +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | ||
|
|
||
| --- | ||
|
|
@@ -696,6 +701,23 @@ No issues found | |
|
|
||
| --- | ||
|
|
||
| [TestRun/one_specific_supported_sbom_with_duplicate_PURLs - 1] | ||
| Warning, duplicate PURL found in SBOM: pkg:apk/alpine/[email protected]?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 | ||
| Warning, duplicate PURL found in SBOM: pkg:apk/alpine/[email protected]?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 | ||
| Scanned <rootdir>/fixtures/sbom-insecure/with-duplicates.cdx.xml as CycloneDX SBOM and found 14 packages | ||
| +--------------------------------+------+-----------+---------+-----------+------------------------------------------------+ | ||
| | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | | ||
| +--------------------------------+------+-----------+---------+-----------+------------------------------------------------+ | ||
| | https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | | ||
| | https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | | ||
| +--------------------------------+------+-----------+---------+-----------+------------------------------------------------+ | ||
|
|
||
| --- | ||
|
|
||
| [TestRun/one_specific_supported_sbom_with_duplicate_PURLs - 2] | ||
|
|
||
| --- | ||
|
|
||
| [TestRun/one_specific_supported_sbom_with_invalid_PURLs - 1] | ||
| Scanned <rootdir>/fixtures/sbom-insecure/bad-purls.cdx.xml as CycloneDX SBOM and found 8 packages | ||
| Ignored 6 packages with invalid PURLs | ||
|
|
||
Oops, something went wrong.