We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What happened: I have a sbom.xml generated by checkov library and it's missing <components> xml tag. This command fails with such sbom.xml:
<components>
xeol --fail-on-eol-found --lookahead 1m sbom.xml -vv [0000] INFO xeol version: 0.9.15 [0000] DEBUG config: log: quiet: false level: debug file: "" dev: profile: none output: [] file: "" distro: "" check-for-app-update: true platform: "" search: scope: Squashed unindexed-archives: false indexed-archives: true db: cache-dir: /home/dwnukowski/.cache/xeol/db update-url: https://data.xeol.io/xeol/databases/listing.json ca-cert: "" auto-update: true validate-by-hash-on-start: false validate-age: true max-allowed-built-age: 120h0m0s lookahead: 1m fail-on-eol-found: true api-key: "" project-name: "" image-path: Dockerfile commit-hash: "" match: packages: using-purls: true distro: using-cpes: true registry: insecure-skip-tls-verify: false insecure-use-http: false auth: [] ca-cert: "" name: "" default-image-pull-source: "" [0000] DEBUG no new xeol update available [0000] DEBUG gathering packages [0000] DEBUG Fetching organization policies [0000] DEBUG loading DB [0000] DEBUG looking for updates on eol database [0000] DEBUG checking for available database updates [0000] DEBUG found database update candidate: Listing(url=https://data.xeol.io/xeol/databases/xeol-db_v1_2024-05-10T03:51:15.748131Z.tar.gz) [0000] DEBUG existing database is already up to date [0000] DEBUG no database update available 1 error occurred: * failed to catalog: unable to decode sbom: unable to identify format
even though sbom schema says it's optional, so the sbom should be valid and parsed properly: https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.4.xsd#L369
What you expected to happen: xeol not ending with decoding error when a valid sbom.xml is provided
How to reproduce it (as minimally and precisely as possible): Use command specified above on this sbom file:
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:5c6fb934-a145-4b58-b779-567374571b13" version="1"> <metadata> <timestamp>2024-05-10T10:03:40.878180+00:00</timestamp> <tools> <tool> <vendor>CycloneDX</vendor> <name>cyclonedx-python-lib</name> <version>6.4.1</version> <externalReferences> <reference type="build-system"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url> </reference> <reference type="distribution"> <url>https://pypi.org/project/cyclonedx-python-lib/</url> </reference> <reference type="documentation"> <url>https://cyclonedx-python-library.readthedocs.io/</url> </reference> <reference type="issue-tracker"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url> </reference> <reference type="license"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url> </reference> <reference type="release-notes"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url> </reference> <reference type="vcs"> <url>https://github.com/CycloneDX/cyclonedx-python-lib</url> </reference> <reference type="website"> <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url> </reference> </externalReferences> </tool> <tool> <vendor>bridgecrew</vendor> <name>checkov</name> <version>UNKNOWN</version> <externalReferences> <reference type="build-system"> <url>https://github.com/bridgecrewio/checkov/actions</url> </reference> <reference type="distribution"> <url>https://pypi.org/project/checkov/</url> </reference> <reference type="documentation"> <url>https://www.checkov.io/1.Welcome/What%20is%20Checkov.html</url> </reference> <reference type="issue-tracker"> <url>https://github.com/bridgecrewio/checkov/issues</url> </reference> <reference type="license"> <url>https://github.com/bridgecrewio/checkov/blob/master/LICENSE</url> </reference> <reference type="social"> <url>https://twitter.com/bridgecrewio</url> </reference> <reference type="vcs"> <url>https://github.com/bridgecrewio/checkov</url> </reference> <reference type="website"> <url>https://www.checkov.io/</url> </reference> </externalReferences> </tool> </tools> </metadata> </bom>
Anything else we need to know?: That's all I think. Environment:
xeol version
cat /etc/os-release
cat /etc/os-release NAME="Fedora Linux" VERSION="39 (Container Image)" ID=fedora VERSION_ID=39 VERSION_CODENAME="" PLATFORM_ID="platform:f39" PRETTY_NAME="Fedora Linux 39 (Container Image)" ANSI_COLOR="0;38;2;60;110;180" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:39" DEFAULT_HOSTNAME="fedora" HOME_URL="https://fedoraproject.org/" DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/" SUPPORT_URL="https://ask.fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=39 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=39 SUPPORT_END=2024-11-12 VARIANT="Container Image" VARIANT_ID=container
The text was updated successfully, but these errors were encountered:
@damian-wnukowski-worldline can you let me know if this is resolved with the latest version of xeol v0.10.0
Sorry, something went wrong.
No branches or pull requests
What happened:
I have a sbom.xml generated by checkov library and it's missing
<components>
xml tag.This command fails with such sbom.xml:
even though sbom schema says it's optional, so the sbom should be valid and parsed properly:
https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.4.xsd#L369
What you expected to happen:
xeol not ending with decoding error when a valid sbom.xml is provided
How to reproduce it (as minimally and precisely as possible):
Use command specified above on this sbom file:
Anything else we need to know?:
That's all I think.
Environment:
xeol version
: 0.9.15cat /etc/os-release
or similar): Fedora running on WSL:The text was updated successfully, but these errors were encountered: