Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

License information missing from BOM #262

Open
ketronkowski opened this issue Jun 28, 2023 · 4 comments
Open

License information missing from BOM #262

ketronkowski opened this issue Jun 28, 2023 · 4 comments
Labels
hacktoberfest Hacktoberfest eligible note:ideal-for-contribution An issue that a contributor can help us with type:bug A general bug

Comments

@ketronkowski
Copy link

When generating an sBOM report using Syft for a container image built with the new-relic buildpack, the "New Relic Java Agent" element does not correctly set license information so the Syft tool can export it correctly in an sBOM file.

Expected Behavior

We expect the sBOM file generated by Syft on an image has the licenseConcluded and licenseDeclared elements of the "New Relic Java Agent" element in the "packages" array set correctly.

Current Behavior

Using Syft on an image generated with Paketo with new-relic buildpack included, the "New Relic Java Agent" has incorrect (LicenseRef-) value for the licenseConcluded and licenseDeclared elements.

  {
   "name": "New Relic Java Agent",
   "SPDXID": "SPDXRef-Package-UnknownPackage-New-Relic-Java-Agent-51f555dbd7cae650",
   "versionInfo": "8.2.0",
   "downloadLocation": "NOASSERTION",
   "sourceInfo": "acquired package info from SBOM: /layers/sbom/launch/paketo-buildpacks_new-relic/new-relic-java/sbom.syft.json",
   "licenseConcluded": "LicenseRef-",
   "licenseDeclared": "LicenseRef-",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:newrelic:java-agent:8.2.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:New_Relic_Java_Agent:New_Relic_Java_Agent:8.2.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:generic/[email protected]?arch=amd64"
    }
   ]
  }

Possible Solution

Steps to Reproduce

  1. Generate a container image with Paketo Buildpacks following instruction in this repository.
  2. Run syft on the generated image: syft <image>
  3. Inspect sbom for the "New Relic Java Agent" element in the "packages" array

Motivations

@dmikusa
Copy link
Contributor

dmikusa commented Jun 29, 2023

Run syft on the generated image: syft

I believe that would be a problem with syft not the buildpacks.

Buildpacks generate their own SBOM information. You don't need to run syft against the image, you just fetch the SBOM information generated by buildpacks. That said, I can't guarantee that we're setting this field properly either, but if it's not correct in the SBOM generated by the buildpacks, we have the capacity to fix that.

Can you please try this?

  1. Do your pack build.
  2. Run pack sbom download against your image. See https://buildpacks.io/docs/tools/pack/cli/pack_sbom_download/

The resulting folder should contain the SBOM information generated by buildpacks for the contents of your application image.

We also generate a separate SBOM for the build image, because sometimes more stuff is installed into the build environment. If you want that, you can only fetch it when running pack build with the --sbom-output-dir. It's not possible to go back and fetch it after the fact.

Hope that helps!

@dmikusa dmikusa added the type:question A user question label Jun 29, 2023
@ketronkowski
Copy link
Author

Thanks for the help. I ran the pack sbom download command on the image. Inside the layers/sbom/launch/paketo-buildpacks_new-relic/new-relic-java/sbom.syft.json file there appears to be an empty string ("") value within the .Artifacts[0].Licenses[] array.

{
    "Artifacts": [
        {
            "ID": "8fff9b556e965d19",
            "Name": "New Relic Java Agent",
            "Version": "8.4.0",
            "Type": "UnknownPackage",
            "FoundBy": "libpak",
            "Locations": [
                {
                    "Path": "buildpack.toml"
                }
            ],
            "Licenses": [
                ""
            ],
            "Language": "",
            "CPEs": [
                "cpe:2.3:a:newrelic:java-agent:8.4.0:*:*:*:*:*:*:*"
            ],
            "PURL": "pkg:generic/[email protected]?arch=amd64"
        }
    ],
    "Source": {
        "Type": "directory",
        "Target": "/layers/paketo-buildpacks_new-relic/new-relic-java"
    },
    "Descriptor": {
        "Name": "syft",
        "Version": "0.32.0"
    },
    "Schema": {
        "Version": "1.1.0",
        "URL": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-1.1.0.json"
    }
}

@dmikusa dmikusa added type:bug A general bug and removed type:question A user question labels Jun 29, 2023
@dmikusa
Copy link
Contributor

dmikusa commented Jun 29, 2023

Oh, interesting. That is not expected. It should have added the license information from the dependency in buildpack.toml.

Switching this to a bug.

@dmikusa dmikusa transferred this issue from paketo-buildpacks/new-relic Jun 29, 2023
@dmikusa
Copy link
Contributor

dmikusa commented Jun 29, 2023

Notes:

  • The Dependency should have license information, that gets pulled out of buildpack.toml.
  • It should pass this license information through to the SBOM information, see here.
  • It doesn't look like that's happening for some reason, unsure why at the moment.

@dmikusa dmikusa added the note:ideal-for-contribution An issue that a contributor can help us with label Jun 29, 2023
@anthonydahanne anthonydahanne added the hacktoberfest Hacktoberfest eligible label Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
hacktoberfest Hacktoberfest eligible note:ideal-for-contribution An issue that a contributor can help us with type:bug A general bug
Projects
None yet
Development

No branches or pull requests

3 participants