Skip to content

xeol unable to decode syft-json from versions of syft newer than v0.92 #346

New issue
New issue
Closed
Closed
xeol unable to decode syft-json from versions of syft newer than v0.92#346
Labels
bugSomething isn't working
@bturner-cpacket

Description

@bturner-cpacket
bturner-cpacket
opened on May 20, 2024

What happened:
When running xeol over a syft generated json sbom from a version of Syft later than v0.92 you get this error:

% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
	* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

What you expected to happen:
When running xeol over a syft generated json sbom from a version of Syft v0.92 you do not receive this error:

% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary

How to reproduce it (as minimally and precisely as possible):

  1. install Syft version 0.92 - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . v0.92.0
  2. check your version - ./syft --version
ubuntu@ubuntu:~$ ./syft --version
syft 0.92.0
  1. Generate a json SBOM using Syft v0.92 -
./syft dir:/ -o json>./sbom/v0.92-syft-filesystem-image-sbom.json
  1. Run xeol against that sbom and verify it succeeds -
% xeol sbom:./v0.92-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [1 eol matches]
NAME    VERSION  EOL         DAYS EOL  TYPE
python  3.8.10   2024-10-31  -         binary
  1. install latest Syft version (currently v1.4.1) - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .
  2. check your version of syft - ./syft --version
ubuntu@ubuntu:~$ ./syft --version
syft 1.4.1
  1. Generate a json SBOM using Syft v1.4.1 -
./syft dir:/ -o json>./sbom/v1.4.1-syft-filesystem-image-sbom.json
  1. Run xeol against the sbom and verify failure -
% xeol sbom:./v1.4.1-syft-filesystem-image-sbom.json  --lookahead 1y -o table
 ✔ EOL DB                          [no update available]
1 error occurred:
	* failed to catalog: unable to decode sbom: unable to decode syft-json: json: cannot unmarshal object into Go struct field Document.artifacts of type string

Anything else we need to know?:
I generated the SBOM's I tested against using Ubuntu 22.04 .ova from https://cloud-images.ubuntu.com/jammy/current/, however, I see this error when running across all our products. I would expect that simply updating the version of Syft from v.0.92 to something newer would solve this issue however I dont know if there are dependency versions for why its been held back on v0.92.

Environment:

  • Output of xeol version:
  • OS (e.g: cat /etc/os-release or similar):
% xeol version
Application:         xeol
Version:             0.9.15
BuildDate:           2024-04-27T01:08:08Z
GitCommit:           Homebrew
GitDescription:      Homebrew
Platform:            darwin/amd64
GoVersion:           go1.22.2
Compiler:            gc
Syft Version:        v0.92.0
Supported DB Schema: 1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions