if version is not valid, revert back to using package

Signed-off-by: pxp928 <parth.psu@gmail.com>
guacsec · Sep 18, 2024 · 0c79306 · 0c79306
1 parent 1e70b16
commit 0c79306
Show file tree

Hide file tree

Showing 4 changed files with 247 additions and 4 deletions.
diff --git a/internal/testing/testdata/exampledata/distroless-cyclonedx-invalid-version.json b/internal/testing/testdata/exampledata/distroless-cyclonedx-invalid-version.json
@@ -0,0 +1,180 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:6a44e622-2983-4566-bf90-f87b6103ebaf",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-10-08T10:01:23-04:00",
+    "tools": [
+      {
+        "vendor": "anchore",
+        "name": "syft",
+        "version": "0.58.0"
+      }
+    ],
+    "component": {
+      "bom-ref": "5885a240f2842b78",
+      "type": "container",
+      "name": "gcr.io/distroless/static",
+      "version": "nonroot"
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:deb/debian/base-files@11.1+deb11u5?arch=amd64\u0026distro=debian-11\u0026package-id=f998ebd648b2753b",
+      "type": "library",
+      "publisher": "Santiago Vila \u003csanvila@debian.org\u003e",
+      "name": "base-files",
+      "version": "11.1+deb11u5",
+      "cpe": "cpe:2.3:a:base-files:base-files:11.1\\+deb11u5:*:*:*:*:*:*:*",
+      "purl": "pkg:deb/debian/base-files@11.1+deb11u5?arch=amd64\u0026distro=debian-11",
+      "properties": [
+        {
+          "name": "syft:package:foundBy",
+          "value": "dpkgdb-cataloger"
+        },
+        {
+          "name": "syft:package:metadataType",
+          "value": "DpkgMetadata"
+        },
+        {
+          "name": "syft:package:type",
+          "value": "deb"
+        },
+        {
+          "name": "syft:cpe23",
+          "value": "cpe:2.3:a:base-files:base_files:11.1\\+deb11u5:*:*:*:*:*:*:*"
+        },
+        {
+          "name": "syft:cpe23",
+          "value": "cpe:2.3:a:base_files:base-files:11.1\\+deb11u5:*:*:*:*:*:*:*"
+        },
+        {
+          "name": "syft:cpe23",
+          "value": "cpe:2.3:a:base_files:base_files:11.1\\+deb11u5:*:*:*:*:*:*:*"
+        },
+        {
+          "name": "syft:cpe23",
+          "value": "cpe:2.3:a:base:base-files:11.1\\+deb11u5:*:*:*:*:*:*:*"
+        },
+        {
+          "name": "syft:cpe23",
+          "value": "cpe:2.3:a:base:base_files:11.1\\+deb11u5:*:*:*:*:*:*:*"
+        },
+        {
+          "name": "syft:location:0:layerID",
+          "value": "sha256:528453af6f60f474766a9e288640095ccbf52e0f09ff068b1d11331c34f8bae1"
+        },
+        {
+          "name": "syft:location:0:path",
+          "value": "/usr/share/doc/base-files/copyright"
+        },
+        {
+          "name": "syft:location:1:layerID",
+          "value": "sha256:528453af6f60f474766a9e288640095ccbf52e0f09ff068b1d11331c34f8bae1"
+        },
+        {
+          "name": "syft:location:1:path",
+          "value": "/var/lib/dpkg/status.d/base"
+        },
+        {
+          "name": "syft:metadata:installedSize",
+          "value": "340"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:deb/debian/netbase@6.3?arch=all\u0026distro=debian-11\u0026package-id=913906225fd3778b",
+      "type": "library",
+      "publisher": "Marco d'Itri \u003cmd@linux.it\u003e",
+      "name": "netbase",
+      "version": "6.3",
+      "licenses": [
+        {
+          "license": {
+            "id": "GPL-2.0-only"
+          }
+        }
+      ],
+      "cpe": "cpe:2.3:a:netbase:netbase:6.3:*:*:*:*:*:*:*",
+      "purl": "pkg:deb/debian/netbase@6.3?arch=all\u0026distro=debian-11",
+      "properties": [
+        {
+          "name": "syft:package:foundBy",
+          "value": "dpkgdb-cataloger"
+        },
+        {
+          "name": "syft:package:metadataType",
+          "value": "DpkgMetadata"
+        },
+        {
+          "name": "syft:package:type",
+          "value": "deb"
+        },
+        {
+          "name": "syft:location:0:layerID",
+          "value": "sha256:528453af6f60f474766a9e288640095ccbf52e0f09ff068b1d11331c34f8bae1"
+        },
+        {
+          "name": "syft:location:0:path",
+          "value": "/usr/share/doc/netbase/copyright"
+        },
+        {
+          "name": "syft:location:1:layerID",
+          "value": "sha256:528453af6f60f474766a9e288640095ccbf52e0f09ff068b1d11331c34f8bae1"
+        },
+        {
+          "name": "syft:location:1:path",
+          "value": "/var/lib/dpkg/status.d/netbase"
+        },
+        {
+          "name": "syft:metadata:installedSize",
+          "value": "41"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:deb/debian/tzdata@2021a-1+deb11u6?arch=all\u0026distro=debian-11\u0026package-id=c1a811f89bc7edaf",
+      "type": "library",
+      "publisher": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e",
+      "name": "tzdata",
+      "version": "2021a-1+deb11u6",
+      "cpe": "cpe:2.3:a:tzdata:tzdata:2021a-1\\+deb11u6:*:*:*:*:*:*:*",
+      "purl": "pkg:deb/debian/tzdata@2021a-1+deb11u6?arch=all\u0026distro=debian-11",
+      "properties": [
+        {
+          "name": "syft:package:foundBy",
+          "value": "dpkgdb-cataloger"
+        },
+        {
+          "name": "syft:package:metadataType",
+          "value": "DpkgMetadata"
+        },
+        {
+          "name": "syft:package:type",
+          "value": "deb"
+        },
+        {
+          "name": "syft:location:0:layerID",
+          "value": "sha256:528453af6f60f474766a9e288640095ccbf52e0f09ff068b1d11331c34f8bae1"
+        },
+        {
+          "name": "syft:location:0:path",
+          "value": "/usr/share/doc/tzdata/copyright"
+        },
+        {
+          "name": "syft:location:1:layerID",
+          "value": "sha256:528453af6f60f474766a9e288640095ccbf52e0f09ff068b1d11331c34f8bae1"
+        },
+        {
+          "name": "syft:location:1:path",
+          "value": "/var/lib/dpkg/status.d/tzdata"
+        },
+        {
+          "name": "syft:metadata:installedSize",
+          "value": "3404"
+        }
+      ]
+    }
+  ]
+}
diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -77,6 +77,9 @@ var (
 	//go:embed exampledata/distroless-cyclonedx.json
 	CycloneDXDistrolessExample []byte
 
+	//go:embed exampledata/distroless-cyclonedx-invalid-version.json
+	CycloneDXDistrolessInvalidVersionExample []byte
+
 	//go:embed exampledata/busybox-cyclonedx.json
 	CycloneDXBusyboxExample []byte
 
@@ -1068,6 +1071,8 @@ var (
 	// CycloneDX Testdata
 	cdxTopLevelPack, _ = asmhelpers.PurlToPkg("pkg:guac/cdx/gcr.io/distroless/static@sha256:6ad5b696af3ca05a048bd29bf0f623040462638cb0b29c8d702cbb2805687388?tag=nonroot")
 
+	cdxTopLevelInvalidVersionPack, _ = asmhelpers.PurlToPkg("pkg:guac/cdx/gcr.io/distroless/static@nonroot")
+
 	cdxTzdataPack, _ = asmhelpers.PurlToPkg("pkg:deb/debian/tzdata@2021a-1+deb11u6?arch=all&distro=debian-11")
 
 	cdxNetbasePack, _ = asmhelpers.PurlToPkg("pkg:deb/debian/netbase@6.3?arch=all&distro=debian-11")
@@ -1126,6 +1131,51 @@ var (
 		HasSBOM:      CdxHasSBOM,
 	}
 
+	CdxHasSBOMInvalidVersion = []assembler.HasSBOMIngest{
+		{
+			Pkg: cdxTopLevelInvalidVersionPack,
+			HasSBOM: &model.HasSBOMInputSpec{
+				Uri:              "urn:uuid:6a44e622-2983-4566-bf90-f87b6103ebaf",
+				Algorithm:        "sha256",
+				Digest:           "cb3ea440e0529e8b07e0e1b694e96ec10149fd00d8b634a0027e5e15f11e3c9b",
+				DownloadLocation: "TestSource",
+				KnownSince:       cdxTime,
+			},
+		},
+	}
+
+	CdxInvalidVersionDeps = []assembler.IsDependencyIngest{
+		{
+			Pkg:    cdxTopLevelInvalidVersionPack,
+			DepPkg: cdxBasefilesPack,
+			IsDependency: &model.IsDependencyInputSpec{
+				DependencyType: model.DependencyTypeUnknown,
+				Justification:  isDepJustifyTopPkgJustification,
+			},
+		},
+		{
+			Pkg:    cdxTopLevelInvalidVersionPack,
+			DepPkg: cdxNetbasePack,
+			IsDependency: &model.IsDependencyInputSpec{
+				DependencyType: model.DependencyTypeUnknown,
+				Justification:  isDepJustifyTopPkgJustification,
+			},
+		},
+		{
+			Pkg:    cdxTopLevelInvalidVersionPack,
+			DepPkg: cdxTzdataPack,
+			IsDependency: &model.IsDependencyInputSpec{
+				DependencyType: model.DependencyTypeUnknown,
+				Justification:  isDepJustifyTopPkgJustification,
+			},
+		},
+	}
+
+	CdxIngestionInvalidVersionPredicates = assembler.IngestPredicates{
+		IsDependency: CdxInvalidVersionDeps,
+		HasSBOM:      CdxHasSBOMInvalidVersion,
+	}
+
 	cdxTopQuarkusPack, _ = asmhelpers.PurlToPkg("pkg:maven/org.acme/getting-started@1.0.0-SNAPSHOT?type=jar")
 
 	cdxResteasyPack, _ = asmhelpers.PurlToPkg("pkg:maven/io.quarkus/quarkus-resteasy-reactive@2.13.4.Final?type=jar")

diff --git a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go
@@ -384,11 +384,11 @@ func (c *cyclonedxParser) GetPredicates(ctx context.Context) *assembler.IngestPr
 			if topLevelPkgs[0].Version != nil && *topLevelPkgs[0].Version != "" {
 				artInput, err := getArtifactInput(*topLevelPkgs[0].Version)
 				if err != nil {
-					logger.Errorf("CDX artifact was not parsable: %v", err)
+					logger.Infof("CDX artifact was not parsable: %v", err)
+				} else {
+					topLevelArts = append(topLevelArts, artInput)
+					logger.Infof("getArtInput %v", artInput)
 				}
-				topLevelArts = append(topLevelArts, artInput)
-
-				logger.Infof("getArtInput %v", artInput)
 			}
 		} else {
 			topLevelArts = c.packageArtifacts[c.cdxBom.Metadata.Component.BOMRef]

diff --git a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx_test.go b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx_test.go
@@ -53,6 +53,19 @@ func Test_cyclonedxParser(t *testing.T) {
 		},
 		wantPredicates: &testdata.CdxIngestionPredicates,
 		wantErr:        false,
+	}, {
+		name: "valid small CycloneDX document - invalid container version",
+		doc: &processor.Document{
+			Blob:   testdata.CycloneDXDistrolessInvalidVersionExample,
+			Format: processor.FormatJSON,
+			Type:   processor.DocumentCycloneDX,
+			SourceInformation: processor.SourceInformation{
+				Collector: "TestCollector",
+				Source:    "TestSource",
+			},
+		},
+		wantPredicates: &testdata.CdxIngestionInvalidVersionPredicates,
+		wantErr:        false,
 	}, {
 		name: "valid small CycloneDX document with package dependencies and a hash",
 		doc: &processor.Document{