From 90a1589c644ab2072b3769c6eb5d5deb658c03a2 Mon Sep 17 00:00:00 2001 From: sg Date: Fri, 20 Sep 2024 09:48:26 +0100 Subject: [PATCH] bugfix/367 fix cyclonedx parser crash if the package does not have purl in metadata --- .../consumers/dependency-track/main_test.go | 6 +++--- components/enrichers/depsdev/main.go | 2 +- components/producers/cdxgen/main.go | 2 +- components/producers/docker-trivy/main.go | 2 +- pkg/cyclonedx/cyclonedx.go | 15 ++++++++++----- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/components/consumers/dependency-track/main_test.go b/components/consumers/dependency-track/main_test.go index 41ef3402d..d1755eef3 100644 --- a/components/consumers/dependency-track/main_test.go +++ b/components/consumers/dependency-track/main_test.go @@ -59,7 +59,7 @@ func TestUploadBomsFromRaw(t *testing.T) { require.NoError(t, err) client = c - issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json") + issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "") require.NoError(t, err) ltr := v1.LaunchToolResponse{ @@ -112,7 +112,7 @@ func TestUploadBomsFromEnriched(t *testing.T) { require.NoError(t, err) client = c - issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json") + issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "") require.NoError(t, err) ltr := v1.LaunchToolResponse{ @@ -206,7 +206,7 @@ func TestUploadBomsFromEnrichedWithOwners(t *testing.T) { require.NoError(t, err) client = c - issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json") + issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "") require.NoError(t, err) ltr := v1.LaunchToolResponse{ diff --git a/components/enrichers/depsdev/main.go b/components/enrichers/depsdev/main.go index c39d276a6..46acbf176 100644 --- a/components/enrichers/depsdev/main.go +++ b/components/enrichers/depsdev/main.go @@ -184,7 +184,7 @@ func enrichIssue(i *v1.Issue) (*v1.EnrichedIssue, error) { if err != nil { return &enrichedIssue, err } - originalIssue, err := cyclonedx.ToDracon(marshalled, "json") + originalIssue, err := cyclonedx.ToDracon(marshalled, "json", "") if err != nil { return &enrichedIssue, err } diff --git a/components/producers/cdxgen/main.go b/components/producers/cdxgen/main.go index 09f8e9d31..ca2d4c147 100644 --- a/components/producers/cdxgen/main.go +++ b/components/producers/cdxgen/main.go @@ -31,5 +31,5 @@ func main() { } func handleCycloneDX(inFile []byte) ([]*v1.Issue, error) { - return cyclonedx.ToDracon(inFile, "json") + return cyclonedx.ToDracon(inFile, "json", "") } diff --git a/components/producers/docker-trivy/main.go b/components/producers/docker-trivy/main.go index 973688190..b13abd917 100644 --- a/components/producers/docker-trivy/main.go +++ b/components/producers/docker-trivy/main.go @@ -92,7 +92,7 @@ func handleSarif(inFile []byte) ([]*v1.Issue, error) { } func handleCycloneDX(inFile []byte) ([]*v1.Issue, error) { - return cyclonedx.ToDracon(inFile, "json") + return cyclonedx.ToDracon(inFile, "json", "") } func parseCombinedOut(results types.CombinedOut) []*v1.Issue { diff --git a/pkg/cyclonedx/cyclonedx.go b/pkg/cyclonedx/cyclonedx.go index 8a71a055b..afe8e6310 100644 --- a/pkg/cyclonedx/cyclonedx.go +++ b/pkg/cyclonedx/cyclonedx.go @@ -12,7 +12,7 @@ import ( ) // ToDracon accepts a cycloneDX bom file and transforms to an array containing a singular v1.Issue. -func ToDracon(inFile []byte, format string) ([]*v1.Issue, error) { +func ToDracon(inFile []byte, format, targetOverride string) ([]*v1.Issue, error) { bom := new(cdx.BOM) var decoder cdx.BOMDecoder var issues []*v1.Issue @@ -42,10 +42,15 @@ func ToDracon(inFile []byte, format string) ([]*v1.Issue, error) { } result := strings.TrimSpace(buf.String()) target := "" - if bom.Metadata.Component.BOMRef != "" { - target = bom.Metadata.Component.BOMRef - } else { - target = bom.Metadata.Component.PackageURL + if bom.Metadata != nil && bom.Metadata.Component != nil { + if bom.Metadata.Component.BOMRef != "" { + target = bom.Metadata.Component.BOMRef + } else { + target = bom.Metadata.Component.PackageURL + } + } + if targetOverride != "" { + target = targetOverride } return []*v1.Issue{