Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug(cyclonedx): wrong purl for local Go dependencies #5449

Closed
DmitriyLewen opened this issue Oct 26, 2023 Discussed in #5434 · 5 comments · Fixed by #5448
Closed

bug(cyclonedx): wrong purl for local Go dependencies #5449

DmitriyLewen opened this issue Oct 26, 2023 Discussed in #5434 · 5 comments · Fixed by #5448
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #5434

We don't create PURL for local Go dependencies, but still create CycloneDX component:

 "bom-ref": "pkg:/",
      "type": "library",
      "name": "./api",
      "purl": "pkg:/",
      "properties": [
...

  "dependencies": [
    {
      "ref": "03a5f5e8-87ca-4f07-9309-c5de465ce1a8",
      "dependsOn": [
        "pkg:/",
...
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Oct 26, 2023
@DmitriyLewen DmitriyLewen self-assigned this Oct 26, 2023
@knqyf263
Copy link
Collaborator

@DmitriyLewen We should include local dependencies. In case we cannot generate PURL, we should use UUID.

This relies on a components bom-ref to associate the component to the dependency element in the graph. The only requirement for bom-ref is that it is unique within the BOM. Package URL (PURL) is an ideal choice for bom-ref as it will be both unique and readable. If PURL is not an option or not all components represented in the BOM contain a PURL, then UUID is recommended.

https://cyclonedx.org/use-cases/#dependency-graph

@MPV
Copy link

MPV commented Nov 7, 2023

After the fix in #5448 I am now instead getting:

"message": "invalid package url: in manifest \"gobinary\" decoding \"\": scheme is missing",

@DmitriyLewen
Copy link
Contributor Author

Hello @MPV
Can you give more information about your case, please?

@MPV
Copy link

MPV commented Nov 7, 2023

Can you give more information about your case, please?

Yes, see:

@DmitriyLewen
Copy link
Contributor Author

Hello @MPV
Looks like this is GitHub bug.

But It is strange. We don't fill purl field for local Go dependencies:

    {
      "name": "./api",
      "SPDXID": "SPDXRef-Package-cab1689fa6aee0c7",
      "versionInfo": "(devel)",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "licenseConcluded": "NONE",
      "licenseDeclared": "NONE",
      "copyrightText": "",
      "primaryPackagePurpose": "LIBRARY"
    },

GitHub docs say that file must follow SPDX format - https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository
But externalRefs (field with purl) is not required field - https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants