Potential Bug: SBOM File Format Naming Conventions and File Format Auto-Detection #12
Comments
jspeed-meyers
added
bug
|
Thanks, @ZombieNub! We really appreciate this bug report. This does indeed sound like a big problem. Did we mention this project is new? 😓 We'll investigate and get back to you. Thank you, again! |
jspeed-meyers
changed the title
|
Hi @ZombieNub: First, thank you again for reporting a bug and opening an issue. This is the first issue from someone that is not a member of one of the cohort companies. So this is awesome! Keep it up! The more bugs reported, the merrier. And PRs always welcome too. I did some investigation. And thanks to @houdini91, @manifestori and @puerco for some behinds the scenes debugging. (There's a slack for this project, currently only open to relevant DHS staff and staff from the seven companies from this project. Feel free to drop in there for quicker, more interactive feedback. Though I personally like GitHub issues more! :) ) So, first I am using a macbook (not Windows) and I am using the code at head (commit 9cc9bea). I am also not using the command I used one of the JSON files you identified: 0x59616e_SteinsOS_syft_spdx.json.txt (I had to add .txt to the end of the file because the GitHub UI does not allow me to drag and drop a JSON document directly into the comment box. Apologies.) I used these steps: git clone https://github.com/bom-squad/sbom-convert.gitThen I moved into the sbom-convert folder: cd sbom-convertI then used For example: go run .But I actually run the commands like this: go run . 0x59616e_SteinsOS_syft_spdx.json.txt > 0x59616e_SteinsOS_converted_cdx.jsonIn this conversion from an SPDX to a CycloneDX document, I get non-blank output, just like the steps you describe above. This is the output I get: 0x59616e_SteinsOS_converted_cdx.json.txt (I again added a .txt to the end of the document because of the GitHub UI's inability to ingest a JSON document in the comment box.) I then did a second conversion: And I got a non-blank file: double_converted_back_to_spdx.json.txt And I would say it looks "similar" to the original SPDX document. Though this project probably admittedly needs a more formal definition of similar :) In conclusion, I personally can't replicate the bug. I'm sorry. Would you be willing to report the version of windows you're using, the version of Go you're using, and the version of I do have a Windows machine that I occasionally use that I could probably find and I could try to replicate it with the same versions you have. Additionally, if you want to pair program some time, that might be an effective to get to the root of the problem together! Again, thanks for the bug. I look forward to figuring this out together! Details of my machine and software |
|
Hi @jspeed-meyers, Sorry for the late response. I did more testing and found the source of the error may be due to the file name. I found that converting the files using the -o option properly named the file to end in either spdx or cdx, allowing the repeat conversion to recognize the file format. When this is not done, like with redirecting the contents to a file which does not end in spdx or cdx, the command cannot infer the file type and exits immediately. I believe this is why the error only occurred when I named the output file I admit this error occurred due to my unfamiliarity with the spdx and cdx file formats, and I did not know that the file required ending in spdx or cdx in order for the conversion to work. Maybe the error message should state that the file must end in spdx or cdx? Thank you for looking over this issue. Details of my machine and software |
Anytime! Keep the bug reports coming.
Indeed. That does sound like a problem. @manifestori and @houdini91: how does the code recognize file format right now? Is that being handled by |
jspeed-meyers
changed the title
|
@ZombieNub Thank you for your feedback, I believe that "auto-healing" output names wasn't a great decision on my behalf. Since we would never default into a file output, prioritize stdout over it. We should trust the user's input for the filename, perhaps only warn (if verbose is on) when a file does not comply with file patterns. For example, output an SBOM encoded to JSON into a file without the .json extension. See those for "accepted filename patterns" @jspeed-meyers This is done by |
|
Sorry for the delay, I will submit a fix for this really soon <3 |
When attempting to convert a file twice in a row, the resulting file is blank. The file after the first conversion is not blank. This error occurs with spdx and cyclonedx files.
What should happen: The resulting file should be similar to the original file and follow the same format.
Steps to reproduce:
.\go-cli.exe .\<FILENAME> | .\go-cli.exe > result.json.result.jsonshould be blank.Alternative:
.\go-cli.exe .\<FILENAME> intermediate.json..\go-cli.exe .\intermediate.json > result.json.result.jsonshould be blank.I've tested this with three example SBOM files:
0x59616e_SteinsOS_syft_spdx.json,0x727_ObserverWard_syft_spdx.json, and1amageek_Ballcap-iOS_syft_cyclonedx.json. These are pre-generated SBOMs that can be found here.The text was updated successfully, but these errors were encountered: