syft
syft copied to clipboard
anchore
Missing licenses with warning "unable to convert relationship from CycloneDX 1.4 JSON" and "skipping encoding of unsupported property: syft:metadata:goBuildSetting"
What happened: I've tried to analyze the jenkins 2.346 image with syft and I got a lot of warnings which stated "unable to convert relationship from CycloneDX 1.4 JSON" and "skipping encoding of unsupported property: syft:metadata:goBuildSetting". After analyzing the BOM, I noticed that some licenses where missing.
What you expected to happen: All licenses are correctly displayed and no error messages pop up when analyzing the jenkins 2.346 image.
How to reproduce it (as minimally and precisely as possible):
- Analyze and automatically pull the image with
syft packages jenkins/jenkins:2.346 -vv -o cyclonedx-json=sbom.json - Analyze stdout and the sbom.
Anything else we need to know?: log:
[0;90m[0000][0m [0;32m INFO[0m syft version: 0.46.1
[0;90m[0000][0m [0;34mDEBUG[0m application config:
[35mverbosity: 2
quiet: false
output:
- cyclonedx-json=sbom-report-syft-new.json
file: ""
check-for-app-update: true
anchore:
host: ""
path: ""
dockerfile: ""
overwrite-existing-image: false
import-timeout: 30
dev:
profile-cpu: false
profile-mem: false
log:
structured: false
level: debug
file: ""
package:
cataloger:
enabled: true
scope: Squashed
search-unindexed-archives: false
search-indexed-archives: true
file-metadata:
cataloger:
enabled: false
scope: Squashed
digests:
- sha256
file-classification:
cataloger:
enabled: false
scope: Squashed
file-contents:
cataloger:
enabled: false
scope: Squashed
skip-files-above-size: 1048576
globs: []
secrets:
cataloger:
enabled: false
scope: AllLayers
additional-patterns: {}
exclude-pattern-names: []
reveal-values: false
skip-files-above-size: 1048576
registry:
insecure-skip-tls-verify: false
insecure-use-http: false
auth: []
exclude: []
attest:
key: ""
cert: ""
no_upload: false
force: false
recursive: false
replace: false
fulcio_url: https://fulcio.sigstore.dev
fulcio_identity_token: ""
insecure_skip_verify: false
rekor_url: https://rekor.sigstore.dev
oidc_issuer: https://oauth2.sigstore.dev/auth
oidc_client_id: sigstore
oidc_redirect_url: ""
platform: ""
[0m
[0;90m[0000][0m [0;34mDEBUG[0m checking if new vesion of syft is available
[0;90m[0000][0m [0;34mDEBUG[0m no new syft update available
[0;90m[0000][0m [0;34mDEBUG[0m image: source=DockerDaemon location=jenkins/jenkins:2.346 [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m image metadata: digest=sha256:5c1acdaa7aa743273673a87dfe37a81236c0b88c3ad5f0761715545c32831d23 mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[jenkins/jenkins:2.346] [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=0 digest=sha256:a13c519c6361b881ba38a452d05e130fc2ee26f0849f119936d747b96cf6a5c3 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=1 digest=sha256:5e10d37dc0cd4c6978cfbd3640a108c68a6f3036975e44a6fa039ee2b4144812 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=2 digest=sha256:858cfcf4b9ff871f07a641bcc6c41787bf64cbaf8f1932055a9d2ec79c5900c9 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=3 digest=sha256:44fc0e532029a0f86941a3b610daea8027958e8486a61184dea7ad80d3cb413f mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=4 digest=sha256:5b2c0a93eff0d66ad70cf01ab67f01a3a299d845dda9f67633409caa89271682 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=5 digest=sha256:cfac37823b42869c6ebd7209c673dcdf4496268e6c7e38dd7f05095d024290d8 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=6 digest=sha256:dfd6d576f5834f059597f85f8c7d7aaa772ef1821571064da2b774b3a155301f mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=7 digest=sha256:ee19a8df754b0c3b4e5908c0fbd8ff3f50768f4fcbf66e0cf69427860a7d47dd mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0005][0m [0;34mDEBUG[0m layer metadata: index=8 digest=sha256:4f2496d361b49822f0efb7e7b8bdd262816297d1b161212d135bb047ea507129 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;34mDEBUG[0m layer metadata: index=9 digest=sha256:95de4f001086a283d30625bffa4bc5011b98832e700db95d98d097635bafd054 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;34mDEBUG[0m layer metadata: index=10 digest=sha256:ac96932111c53d10baf27ea67b0b227d70de6d0a44f20f53946613558e457ed0 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;34mDEBUG[0m layer metadata: index=11 digest=sha256:5bdfa9119ec5e4f27e31c97db4b1d0ab77d9862d2270e0434d308512a3e2e0d9 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;34mDEBUG[0m layer metadata: index=12 digest=sha256:e3a22aa684d3dbd0c12f2988fea604721aa97fc212b2e7b8995b1dcebe2dac05 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;34mDEBUG[0m layer metadata: index=13 digest=sha256:dee1aab7257d25d44506ccfcd7b0f7baa60e4e2a4773c0836e3ced497aa002a5 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;34mDEBUG[0m layer metadata: index=14 digest=sha256:b9c978b46c3f18bf3651d4dd9d45e8ce9870d2aeb4a02bf26ef8d7f786f18a12 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;34mDEBUG[0m layer metadata: index=15 digest=sha256:6581614953682c5e239e47092ec14c63f0d6c8b4a885709736ad7d14850f94bd mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;34mDEBUG[0m layer metadata: index=16 digest=sha256:fc40381a6c0bc459c1e0903dd0e139d52bd1c25290635bde6195b2e571f3929e mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip [0;34mfrom-lib[0m=stereoscope
[0;90m[0006][0m [0;32m INFO[0m identified distro: Debian GNU/Linux 11 (bullseye)
[0;90m[0006][0m [0;32m INFO[0m cataloging image
[0;90m[0006][0m [0;34mDEBUG[0m cataloging with "ruby-gemspec-cataloger"
[0;90m[0006][0m [0;34mDEBUG[0m discovered 0 packages
[0;90m[0006][0m [0;34mDEBUG[0m cataloging with "python-package-cataloger"
[0;90m[0006][0m [0;34mDEBUG[0m discovered 0 packages
[0;90m[0006][0m [0;34mDEBUG[0m cataloging with "php-composer-installed-cataloger"
[0;90m[0007][0m [0;34mDEBUG[0m discovered 0 packages
[0;90m[0007][0m [0;34mDEBUG[0m cataloging with "javascript-package-cataloger"
[0;90m[0007][0m [0;34mDEBUG[0m discovered 0 packages
[0;90m[0007][0m [0;34mDEBUG[0m cataloging with "dpkgdb-cataloger"
[0;90m[0007][0m [0;34mDEBUG[0m discovered 165 packages
[0;90m[0007][0m [0;34mDEBUG[0m cataloging with "rpmdb-cataloger"
[0;90m[0007][0m [0;34mDEBUG[0m discovered 0 packages
[0;90m[0007][0m [0;34mDEBUG[0m cataloging with "java-cataloger"
[0;90m[0010][0m [0;34mDEBUG[0m discovered 292 packages
[0;90m[0010][0m [0;34mDEBUG[0m cataloging with "apkdb-cataloger"
[0;90m[0010][0m [0;34mDEBUG[0m discovered 0 packages
[0;90m[0010][0m [0;34mDEBUG[0m cataloging with "go-module-binary-cataloger"
[0;90m[0010][0m [0;34mDEBUG[0m discovered 26 packages
[0;90m[0010][0m [0;34mDEBUG[0m cataloging with "dotnet-deps-cataloger"
[0;90m[0010][0m [0;34mDEBUG[0m discovered 0 packages
[0;90m[0010][0m [0;33m WARN[0m skipping encoding of unsupported property: syft:metadata:goBuildSettings
[0;90m[0010][0m [0;33m WARN[0m skipping encoding of unsupported property: syft:metadata:goBuildSettings
[0;90m[0010][0m [0;33m WARN[0m skipping encoding of unsupported property: syft:metadata:goBuildSettings
[0;90m[0010][0m [0;33m WARN[0m skipping encoding of unsupported property: syft:metadata:goBuildSettings
[...]
[0;90m[0010][0m [0;34mDEBUG[0m unable to convert relationship from CycloneDX 1.4 JSON, dropping: {From:Pkg(name="adduser" version="3.118" type="deb" id="a124711c55c5b5ec") To:Location<RealPath="/etc/deluser.conf" Layer="sha256:a13c519c6361b881ba38a452d05e130fc2ee26f0849f119936d747b96cf6a5c3"> Type:contains Data:<nil>}
[0;90m[0010][0m [0;34mDEBUG[0m unable to convert relationship from CycloneDX 1.4 JSON, dropping: {From:Pkg(name="adduser" version="3.118" type="deb" id="a124711c55c5b5ec") To:Location<RealPath="/usr/sbin/adduser" Layer="sha256:a13c519c6361b881ba38a452d05e130fc2ee26f0849f119936d747b96cf6a5c3"> Type:contains Data:<nil>}
[0;90m[0010][0m [0;34mDEBUG[0m unable to convert relationship from CycloneDX 1.4 JSON, dropping: {From:Pkg(name="adduser" version="3.118" type="deb" id="a124711c55c5b5ec") To:Location<RealPath="/usr/sbin/deluser" Layer="sha256:a13c519c6361b881ba38a452d05e130fc2ee26f0849f119936d747b96cf6a5c3"> Type:contains Data:<nil>}
[...]
Environment:
- Output of
syft version:
Application: syft
Version: 0.46.1
JsonSchemaVersion: 3.2.3
BuildDate: 2022-05-16T15:00:53Z
GitCommit: 03ee4fdf5e87907c5a49ae353c44682894bb411c
GitDescription: v0.46.1
Platform: linux/amd64
GoVersion: go1.18.1
Compiler: gc
- OS (e.g:
cat /etc/os-releaseor similar):- WSL2 Ubuntu 22.04:
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
Just ran this locally and confirmed we need to add support to the cyclonedxhelpers folder for the goBuildSettings
This could be a good first issue for anyone who is curious about how syft does the translation from its core data model into the different formats.
Quick note: unable to convert relationship from CycloneDX... is not a warning, it's a DEBUG level message.
This issue is otherwise two separate issues and should be split up:
- support for
map[string]stringencoding/decoding for Syft properties (in CycloneDX) -- this is probably a nontrivial issue due to required reflection usage - missing licenses in the output -- this is likely to be due to no license information being present, but further investigation is required here
It also looks like the license ask may be a duplicate of: https://github.com/anchore/syft/issues/229 -- what do you think?