From 969eb66007f5cfb1998418b4eec988607847f2d2 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Fri, 18 Oct 2024 12:50:22 +1300 Subject: [PATCH] fix: warn about and ignore duplicate entries in SBOMs (#1289) While from what I understand duplicates should not be possible in a valid SBOM, apparently they happen and it's useful for us to report + skip them. Since doing this efficiently requires use of a map we in turn have to sort the packages to ensure a consistent output order, leading to me discovering that we're not already sorting the packages - I've opened #1288 to land that change first. Resolves #330 --- cmd/osv-scanner/__snapshots__/main_test.snap | 22 + .../sbom-insecure/with-duplicates.cdx.xml | 636 ++++++++++++++++++ cmd/osv-scanner/main_test.go | 7 + pkg/osvscanner/osvscanner.go | 23 +- 4 files changed, 682 insertions(+), 6 deletions(-) create mode 100644 cmd/osv-scanner/fixtures/sbom-insecure/with-duplicates.cdx.xml diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index b1dc8eee20..0a46d3907e 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -531,6 +531,9 @@ Ignored invalid PURL "pkg:///" Ignored invalid PURL "pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2" Ignored invalid PURL "pkg:pypi/" Scanned /fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages +Warning, duplicate PURL found in SBOM: pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 +Warning, duplicate PURL found in SBOM: pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 +Scanned /fixtures/sbom-insecure/with-duplicates.cdx.xml as CycloneDX SBOM and found 14 packages +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ @@ -556,6 +559,8 @@ Scanned /fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S | https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | +| https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | +| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ --- @@ -696,6 +701,23 @@ No issues found --- +[TestRun/one_specific_supported_sbom_with_duplicate_PURLs - 1] +Warning, duplicate PURL found in SBOM: pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 +Warning, duplicate PURL found in SBOM: pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 +Scanned /fixtures/sbom-insecure/with-duplicates.cdx.xml as CycloneDX SBOM and found 14 packages ++--------------------------------+------+-----------+---------+-----------+------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------------+------+-----------+---------+-----------+------------------------------------------------+ +| https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | +| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | ++--------------------------------+------+-----------+---------+-----------+------------------------------------------------+ + +--- + +[TestRun/one_specific_supported_sbom_with_duplicate_PURLs - 2] + +--- + [TestRun/one_specific_supported_sbom_with_invalid_PURLs - 1] Scanned /fixtures/sbom-insecure/bad-purls.cdx.xml as CycloneDX SBOM and found 8 packages Ignored 6 packages with invalid PURLs diff --git a/cmd/osv-scanner/fixtures/sbom-insecure/with-duplicates.cdx.xml b/cmd/osv-scanner/fixtures/sbom-insecure/with-duplicates.cdx.xml new file mode 100644 index 0000000000..e9fb06b3ee --- /dev/null +++ b/cmd/osv-scanner/fixtures/sbom-insecure/with-duplicates.cdx.xml @@ -0,0 +1,636 @@ + + + + 2023-03-02T12:04:22+11:00 + + + anchore + syft + 0.73.0 + + + + alpine:latest + sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 + + + + + Natanael Copa <ncopa@alpinelinux.org> + alpine-baselayout + 3.4.0-r0 + Alpine base dir structure and init scripts + + + GPL-2.0-only + + + cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 + + + https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 + 331776 + alpine-baselayout + Q1/eXfmbYT1WXenFSqKjroYyK84NE= + alpine-baselayout-data=3.4.0-r0 + /bin/sh + 8890 + + + + Natanael Copa <ncopa@alpinelinux.org> + alpine-baselayout-data + 3.4.0-r0 + Alpine base dir structure and init scripts + + + GPL-2.0-only + + + cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 + + + https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 + 77824 + alpine-baselayout + Q1/JgpM8J6DWI/541tUX+uHEzSjqo= + 11664 + + + + Natanael Copa <ncopa@alpinelinux.org> + alpine-keys + 2.4-r1 + Public keys for Alpine Linux packages + + + MIT + + + cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* + pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2 + + + https://alpinelinux.org + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + aab68f8c9ab434a46710de8e12fb3206e2930a59 + 159744 + alpine-keys + Q1KM01lfKVp+gEZn23awujqjSkrN8= + 13361 + + + + Natanael Copa <ncopa@alpinelinux.org> + apk-tools + 2.12.10-r1 + Alpine Package Keeper - package manager for alpine + + + GPL-2.0-only + + + cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 + + + https://gitlab.alpinelinux.org/alpine/apk-tools + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 0188f510baadbae393472103427b9c1875117136 + 307200 + apk-tools + so:libapk.so.3.12.0=3.12.0 + cmd:apk=2.12.10-r1 + Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= + musl>=1.2 + ca-certificates-bundle + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + so:libssl.so.3 + so:libz.so.1 + 120973 + + + + busybox + 1.35.0 + cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* + + binary-cataloger + BinaryMetadata + binary + cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /bin/busybox + + + + Sören Tempel <soeren+alpine@soeren-tempel.net> + busybox-binsh + 1.36.1-r27 + busybox ash /bin/sh + + + GPL-2.0-only + + + cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + + + https://busybox.net/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 1dbf7a793afae640ea643a055b6dd4f430ac116b + 8192 + busybox + /bin/sh + cmd:sh=1.36.1-r27 + Q1miWwyhWKXVEiRYLhmArV1TKMs6A= + busybox=1.36.1-r27 + 1547 + + + + Natanael Copa <ncopa@alpinelinux.org> + ca-certificates-bundle + 20220614-r4 + Pre generated bundle of Mozilla certificates + + + MPL-2.0 + + + MIT + + + cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2 + + + https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + e1839fd45a096c9e21ac24f8a61991d357d11628 + 237568 + ca-certificates + ca-certificates-cacert=20220614-r4 + Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= + 126296 + + + + Natanael Copa <ncopa@alpinelinux.org> + libc-utils + 0.7.2-r3 + Meta package to pull in correct libc + + + BSD-2-Clause + + + BSD-3-Clause + + + cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2 + + + https://alpinelinux.org + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 60424133be2e79bbfeff3d58147a22886f817ce2 + 4096 + libc-dev + Q19Gg06pBPiiG9UN94ql7qImsHSUQ= + musl-utils + 1485 + + + + Ariadne Conill <ariadne@dereferenced.org> + libcrypto3 + 3.0.8-r0 + Crypto library from openssl + + + Apache-2.0 + + + cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* + pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 + + + https://www.openssl.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 524302e205a5b43c2bb48d041bcb10ccf2b480f9 + 4206592 + openssl + so:libcrypto.so.3=3 + Q1lyWpurYeMlLEt60ys+OlTABmzgs= + so:libc.musl-x86_64.so.1 + 1710217 + + + + Ariadne Conill <ariadne@dereferenced.org> + libcrypto3 + 3.0.8-r0 + Crypto library from openssl + + + Apache-2.0 + + + cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* + pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 + + + https://www.openssl.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 524302e205a5b43c2bb48d041bcb10ccf2b480f9 + 4206592 + openssl + so:libcrypto.so.3=3 + Q1lyWpurYeMlLEt60ys+OlTABmzgs= + so:libc.musl-x86_64.so.1 + 1710217 + + + + Ariadne Conill <ariadne@dereferenced.org> + libssl3 + 3.0.8-r0 + SSL shared libraries + + + Apache-2.0 + + + cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* + pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 + + + https://www.openssl.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 524302e205a5b43c2bb48d041bcb10ccf2b480f9 + 622592 + openssl + so:libssl.so.3=3 + Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + 246853 + + + + Timo Teräs <timo.teras@iki.fi> + musl + 1.2.3-r4 + the musl c library (libc) implementation + + + MIT + + + cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* + pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 + + + https://musl.libc.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + f93af038c3de7146121c2ea8124ba5ce29b4b058 + 634880 + musl + so:libc.musl-x86_64.so.1=1 + Q1Pk7x1woArbB1nzkMPJPq1TECwus= + 388955 + + + + Timo Teräs <timo.teras@iki.fi> + musl-utils + 1.2.3-r4 + the musl c library (libc) implementation + + + MIT + + + BSD-2-Clause + + + GPL-2.0-or-later + + + cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 + + + https://musl.libc.org/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + f93af038c3de7146121c2ea8124ba5ce29b4b058 + 135168 + musl + cmd:getconf=1.2.3-r4 + cmd:getent=1.2.3-r4 + cmd:iconv=1.2.3-r4 + cmd:ldconfig=1.2.3-r4 + cmd:ldd=1.2.3-r4 + Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= + scanelf + so:libc.musl-x86_64.so.1 + 36697 + + + + Natanael Copa <ncopa@alpinelinux.org> + scanelf + 1.3.5-r1 + Scan ELF binaries for stuff + + + GPL-2.0-only + + + cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* + pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 + + + https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + e52243dbb02069f10d48440ccc5fd41fa5fc2236 + 98304 + pax-utils + cmd:scanelf=1.3.5-r1 + Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= + so:libc.musl-x86_64.so.1 + 37687 + + + + Sören Tempel <soeren+alpine@soeren-tempel.net> + ssl_client + 1.36.1-r27 + EXternal ssl_client for busybox wget + + + GPL-2.0-only + + + cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + + + https://busybox.net/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 1dbf7a793afae640ea643a055b6dd4f430ac116b + 28672 + busybox + cmd:ssl_client=1.36.1-r27 + Q1QuqZjeP6XG85I29tOiCWofL8Cj0= + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + so:libssl.so.3 + 4929 + + + + Natanael Copa <ncopa@alpinelinux.org> + zlib + 1.2.10-r0 + A compression/decompression Library + + + Zlib + + + cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:* + pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 + + + https://zlib.net/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bb37266b06a72d21d1fd850ef4b86665cf9ef70f + 110592 + zlib + so:libz.so.1=1.2.13 + Q1rjnXT01l1PAxXheUxe4Oldl5rFk= + so:libc.musl-x86_64.so.1 + 54258 + + + + Natanael Copa <ncopa@alpinelinux.org> + zlib + 1.2.10-r0 + A compression/decompression Library + + + Zlib + + + cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:* + pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 + + + https://zlib.net/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bb37266b06a72d21d1fd850ef4b86665cf9ef70f + 110592 + zlib + so:libz.so.1=1.2.13 + Q1rjnXT01l1PAxXheUxe4Oldl5rFk= + so:libc.musl-x86_64.so.1 + 54258 + + + + alpine + 3.17.2 + Alpine Linux v3.17 + + + + https://gitlab.alpinelinux.org/alpine/aports/-/issues + + + https://alpinelinux.org/ + + + + alpine + Alpine Linux v3.17 + 3.17.2 + + + + diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index 6f6cc8b4a5..eb2c7c3f40 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -172,6 +172,13 @@ func TestRun(t *testing.T) { args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/sbom-insecure/bad-purls.cdx.xml"}, exit: 0, }, + // one specific supported sbom with duplicate PURLs + { + name: "one specific supported sbom with duplicate PURLs", + args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/sbom-insecure/with-duplicates.cdx.xml"}, + exit: 1, + }, + // one specific unsupported lockfile { name: "one specific unsupported lockfile", args: []string{"", "./fixtures/locks-many/not-a-lockfile.toml"}, diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index ea9b9aa92a..f48f7d3313 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -443,7 +443,7 @@ func extractMavenDeps(f lockfile.DepFile) (lockfile.Lockfile, error) { // within to `query` func scanSBOMFile(r reporter.Reporter, path string, fromFSScan bool) ([]scannedPackage, error) { var errs []error - var packages []scannedPackage + packages := map[string]scannedPackage{} for _, provider := range sbom.Providers { if fromFSScan && !provider.MatchesRecognizedFileNames(path) { // Skip if filename is not usually a sbom file of this format. @@ -470,13 +470,18 @@ func scanSBOMFile(r reporter.Reporter, path string, fromFSScan bool) ([]scannedP //nolint:nilerr return nil } - packages = append(packages, scannedPackage{ + + if _, ok := packages[id.PURL]; ok { + r.Warnf("Warning, duplicate PURL found in SBOM: %s\n", id.PURL) + } + + packages[id.PURL] = scannedPackage{ PURL: id.PURL, Source: models.SourceInfo{ Path: path, Type: "sbom", }, - }) + } return nil }) @@ -515,11 +520,17 @@ func scanSBOMFile(r reporter.Reporter, path string, fromFSScan bool) ([]scannedP } } - slices.SortFunc(packages, func(i, j scannedPackage) int { + sliceOfPackages := make([]scannedPackage, 0, len(packages)) + + for _, pkg := range packages { + sliceOfPackages = append(sliceOfPackages, pkg) + } + + slices.SortFunc(sliceOfPackages, func(i, j scannedPackage) int { return strings.Compare(i.PURL, j.PURL) }) - return packages, nil + return sliceOfPackages, nil } var formatErr sbom.InvalidFormatError @@ -539,7 +550,7 @@ func scanSBOMFile(r reporter.Reporter, path string, fromFSScan bool) ([]scannedP } } - return packages, nil + return nil, nil } func getCommitSHA(repoDir string) (string, error) {