Not all the packages are getting imported in Blackduck scanner

Question

Not all the packages are getting imported in Blackduck scanner

Naranthiran opened this issue a month ago · comments

What happened:
I am trying to generate SBOM for my RHEL 7 custom image which is built using image builder. And I am executing the below command

#syft /root/isomount/input/liveimg.tar.gz --select-catalogers "+sbom-cataloger" -o spdx-json=sbom.050524.json

Please correct me if the command and its parameters provided are wrong.
What you expected to happen:
While importing the SBOM generated using the above command out of 650 components only 58 are imported.

Error:
openssl1.1.1kpkg:generic/openssl@1.1.1k | | Component Not FoundUnable to map scanned component version to Black Duck project version because no mapping is present for the given external identifier

Steps to reproduce the issue:
1)Generated an RHEL 8 image using the imaged builder.
2)Download the image from the image builder and generate the SBOM.
#syft /root/isomount/input/liveimg.tar.gz --select-catalogers "+sbom-cataloger" -o spdx-json=sbom.050524.json
3)Import the SBOM in the Blackduck scanner.

Anything else we need to know?:
I have attached the scan logs,

Environment: x86_64

Output of syft version: syft 1.1.1
OS (e.g: cat /etc/os-release or similar): RHEL 8.8

Tim Gerla · Answer 1 · Sun May 05 2024 20:04:05 GMT+0800 (China Standard Time)

Hi @Naranthiran, thanks for the report. Can you attach a copy of sbom.050524.json to this issue? It looks like there are a bunch of errors related to symlinks in the scan output. It would be helpful if we could also see the contents of the tar file. Could we have access to the tar file itself? If not, a complete file listing from the tar archive would be a good start. Thanks!

Naranthiran · Answer 2 · Mon May 06 2024 13:53:01 GMT+0800 (China Standard Time)

Hi Tim,

I have attached the SBOM. The tar file is a filesystem which was created using the image builder tool.

If you have subscribed, you can generate the tar file from the RedHat console.

I will not be able to upload as the files size in huge..

sbom.050524.json

Regards
Naranthiran Duraisamy

Tim Gerla · Answer 3 · Mon May 06 2024 20:24:20 GMT+0800 (China Standard Time)

Hi @Naranthiran, I checked out the SBOM and I see over 600 entries, about what I would expect. Running Grype against it reports a bunch of possible vulnerabilities. Can you explain in more detail the problem on the Syft side here? I am not familiar with Blackduck's scanning software and you might need to contact them for information about their tool. Thanks!

Naranthiran · Answer 4 · Tue May 07 2024 19:54:04 GMT+0800 (China Standard Time)

Hi Tim,

Thanks for your response.
While importing the SBOM in the Blackduck I found only 58 components out of 650.
I wanted to check with you, if the way I create the SBOM with its parameters is correct or if I am missing something.

From the BlackDuck side, I understand that the package name and referenceLocator files were not matching.

Regards
Naranthiran Duraisamy

Tim Gerla · Answer 5 · Tue May 07 2024 23:11:46 GMT+0800 (China Standard Time)

Hi Naranthiran, as far as I can tell, your method of calling Syft is fine, and I don't see anything out of the ordinary in the generated SBOM. It does look like Blackduck is expecting something different. It might be some sort of incompatibility between the tools but we would be happy to look. Would you be able to contact Blackduck and open a support ticket there? We would be happy to explore the problem. Thanks,

Tim