Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OS information missing in SPDX format SBOM for a container image #3012

Open
kl-sinclair opened this issue Jul 4, 2024 · 3 comments · May be fixed by #3462
Open

OS information missing in SPDX format SBOM for a container image #3012

kl-sinclair opened this issue Jul 4, 2024 · 3 comments · May be fixed by #3462
Labels
bug Something isn't working

Comments

@kl-sinclair
Copy link

kl-sinclair commented Jul 4, 2024
edited
Loading

What happened:

When generating an SPDX for container images like Redis or Ubuntu, only package information is included, but OS information, such as Alpine or Ubuntu, is not included in the Package Information section.

Redis:
https://gist.github.com/kl-sinclair/eec66cc2a577a4c702521b20217a1bac

Ubuntu:
https://gist.github.com/kl-sinclair/dfab9b10e93be204d8d76b69e2662333

What you expected to happen:

OS information should be included as a package. For example, as follows:

...
  "packages": [
    ...
    {
      "name": "alpine",
      "SPDXID": "SPDXRef-OperatingSystem-alpine-xxxxxxxxxxxxxxxx",
      "versionInfo": "3.20.1",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      ...
      "primaryPackagePurpose": "OPERATING-SYSTEM"
    }
...

or

##### Package: ubuntu

PackageName: ubuntu
SPDXID: SPDXRef-OperatingSystem-ubuntu-xxxxxxxxxxxxxxxx
PackageVersion: 24.04
PackageDownloadLocation: NONE
PrimaryPackagePurpose: OPERATING-SYSTEM
FilesAnalyzed: false
...

Steps to reproduce the issue:

syft scan redis:6-alpine -o spdx-json=syft-redis.spdx.json
syft scan ubuntu:latest -o spdx-json=syft-ubuntu.spdx.json

Anything else we need to know?:

With CycloneDX, OS information is included as a component:

syft-redis.cdx.json:

...
  "components": [
    ...
    {
      "bom-ref": "os:[email protected]",
      "type": "operating-system",
      "name": "alpine",
      "version": "3.16.0",
      "description": "Alpine Linux v3.16",
      "swid": {
        "tagId": "alpine",
        "name": "alpine",
        "version": "3.16.0"
      },
      "externalReferences": [
        {
          "url": "https://gitlab.alpinelinux.org/alpine/aports/-/issues",
          "type": "issue-tracker"
        },
        {
          "url": "https://alpinelinux.org/",
          "type": "website"
        }
      ],
      "properties": [
        {
          "name": "syft:distro:id",
          "value": "alpine"
        },
        {
          "name": "syft:distro:prettyName",
          "value": "Alpine Linux v3.16"
        },
        {
          "name": "syft:distro:versionID",
          "value": "3.16.0"
        }
      ]
    }
...

syft-ubuntu.cdx.json:

...
  "components": [
    ...
    {
      "bom-ref": "os:[email protected]",
      "type": "operating-system",
      "name": "ubuntu",
      "version": "22.04",
      "description": "Ubuntu 22.04.1 LTS",
      "swid": {
        "tagId": "ubuntu",
        "name": "ubuntu",
        "version": "22.04"
      },
      "externalReferences": [
        {
          "url": "https://bugs.launchpad.net/ubuntu/",
          "type": "issue-tracker"
        },
        {
          "url": "https://www.ubuntu.com/",
          "type": "website"
        },
        {
          "url": "https://help.ubuntu.com/",
          "comment": "support",
          "type": "other"
        },
        {
          "url": "https://www.ubuntu.com/legal/terms-and-policies/privacy-policy",
          "comment": "privacyPolicy",
          "type": "other"
        }
      ],
      "properties": [
        {
          "name": "syft:distro:id",
          "value": "ubuntu"
        },
        {
          "name": "syft:distro:idLike:0",
          "value": "debian"
        },
        {
          "name": "syft:distro:prettyName",
          "value": "Ubuntu 22.04.1 LTS"
        },
        {
          "name": "syft:distro:versionCodename",
          "value": "jammy"
        },
        {
          "name": "syft:distro:versionID",
          "value": "22.04"
        }
      ]
    }
...

Environment:

  • Output of syft version:
$ syft version
Application: syft
Version:    1.8.0
BuildDate:  2024-06-24T15:27:29Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/amd64
GoVersion:  go1.22.4
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
    macOS Ventura 13.3
@kl-sinclair kl-sinclair added the bug Something isn't working label Jul 4, 2024
@kl-sinclair kl-sinclair changed the title OS information missing in SPDX Format SBOM for a container image OS information missing in SPDX format SBOM for a container image Jul 4, 2024
@popey
Copy link
Contributor

popey commented Jul 16, 2024

Thanks for the issue. I've reproduced this on Syft 1.9.0.

@spiffcs
Copy link
Contributor

spiffcs commented Jul 16, 2024

Just to add some supporting evidence for this issue:
https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field

The package information in v2.3 allows for formats that identify the primary package purpose:

APPLICATION | FRAMEWORK | LIBRARY | CONTAINER | 
OPERATING-SYSTEM | DEVICE | FIRMWARE | SOURCE | 
ARCHIVE | FILE | INSTALL | OTHER |

Operating System is included in this enum so including the discovered operating system as a package in spdx would be the correct spot. Syft has data for this in it's underlying json format. It's just a matter of creating the package during the format serialization.

@willmurphyscode willmurphyscode moved this to Ready in OSS Oct 14, 2024
@josegomezr josegomezr linked a pull request Nov 18, 2024 that will close this issue
Open
5 tasks
@josegomezr
Copy link

@kl-sinclair I've tried your reproducer commands with the code in #3462. Check the gist with the outputs:

https://gist.github.com/josegomezr/1232cf59eb2f32be52737f363ad2b96a

I think it generates the expected result, I can't be 100% certain yet. An extra pair of eyes wouldn't hurt 😅

This is the OS package (sampling from redis):

{
      "name": "Alpine Linux",
      "SPDXID": "SPDXRef-OperatingSystem-alpine",
      "versionInfo": "3.20.3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "description": "Alpine Linux v3.20",
      "primaryPackagePurpose": "OPERATING-SYSTEM"
}

And the relationships are reflected as well:

# [...]
{
      "spdxElementId": "SPDXRef-OperatingSystem-alpine",
      "relatedSpdxElement": "SPDXRef-Package-apk-zlib-6dd4db84efbbb0de",
      "relationshipType": "CONTAINS"
},
{
      "spdxElementId": "SPDXRef-DocumentRoot-Image-redis",
      "relatedSpdxElement": "SPDXRef-OperatingSystem-alpine",
      "relationshipType": "CONTAINS"
},
{
      "spdxElementId": "SPDXRef-DOCUMENT",
      "relatedSpdxElement": "SPDXRef-DocumentRoot-Image-redis",
      "relationshipType": "DESCRIBES"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: Ready
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Include the OS Information available in the SBOM model in the SPDX reports josegomezr/syft
4 participants
@popey @josegomezr @kl-sinclair @spiffcs