snyk / parlay Goto Github PK

CycloneDX SBOMs can have components embedded in a component, see https://cyclonedx.org/docs/1.5/json/#components_items_components. I have generated a SBOM with cyclonedx-npm and got this:

        {
            "type": "library",
            "bom-ref": "[email protected]",
            "supplier": {
                "name": "Kent C. Dodds",
                "url": [
                    "https://kentcdodds.com"
                ]
            },
            "author": "Kent C. Dodds",
            "name": "match-sorter",
            "version": "6.3.4",
            "description": "Simple, expected, and deterministic best-match sorting of an array in JavaScript",
            "licenses": [
                {
                    "expression": "MIT"
                }
            ],
            "purl": "pkg:npm/[email protected]",
            "components": [
                {
                    "type": "library",
                    "bom-ref": "[email protected]|[email protected]",
                    "name": "remove-accents",
                    "version": "0.5.0",
                    "purl": "pkg:npm/[email protected]"
                }
            ]
        },

This example contains information gathered by Parlay for the match-sorter, but nothing was found for the included remove-accents.

Would it possible for Parlay to traverse through the components?

My CycloneDX includes components like

    {
        "type": "library",
        "bom-ref": "@emotion/[email protected]",
        "group": "@emotion",
        "name": "react",
        "version": "11.11.3",
        "purl": "pkg:npm/%40emotion/[email protected]"
    },

Parly doesn't find any information for this component when using ecosystems enrich.

For other components like

    {
        "type": "library",
        "bom-ref": "[email protected]",
        "name": "regenerator-runtime",
        "version": "0.14.1",
        "purl": "pkg:npm/[email protected]"
    },

Parlay finds additional information.

The only differences is the group in the first kind of components. Do you have any idea, why it is not working with the group?

Currently you can't determine the version of parlay from within the CLI. It would be useful to add a --version or version command.

Good question from @rnjudge https://twitter.com/rosejudge5/status/1666879138739916800

how is SBOM creation metadata handled when the SBOM is changed? Is the document creation metadata changed to reflect the new creator?

Warrants investigation. Parlay is adding to, rather than recreating, the original content. You ideally still want to know what tool generated the list of packages, but (separately) knowing that some of the information came from Parlay would be useful.

When enriching an SBOM, the snyk command will fetch user data to infer the user’s org ID per package. Since the org ID is unlikely to change while an SBOM is being enriched, it should rather be looked up once and injected in subsequent requests.

The snyk command does not properly add to debugger output. Specifically, the logger instance is not being passed down to internal function calls and errors remain unhandled, while stdout with an unenriched SBOM suggests that everything went according to plan.

Running the example command below returns the following runtime error. Snyk Token is set correctly. I verified it is working on Linux via WSL. A similar error occurs when trying to run snyk enrich for a CycloneDX SBOM. I'm using this release https://github.com/snyk/parlay/releases/download/v0.1.5/parlay_Windows_x86_64.zip.

./parlay snyk package pkg:npm/[email protected]

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x80a3ca]

goroutine 1 [running]:
github.com/snyk/parlay/lib/snyk.GetPackageVulnerabilities({{0xc00001e0f4, 0x3}, {0x0, 0x0}, {0xc00001e0f8, 0x7}, {0xc00001e100, 0x5}, {0xd89f00, 0x0, ...}, ...})
/home/runner/work/parlay/parlay/lib/snyk/package.go:56 +0x1ca
github.com/snyk/parlay/internal/commands/snyk.NewPackageCommand.func1(0xc000005500?, {0xc000090140, 0x1?, 0x1?})
/home/runner/work/parlay/parlay/internal/commands/snyk/packages.go:24 +0x1b8
github.com/spf13/cobra.(*Command).execute(0xc000005500, {0xc000090100, 0x1, 0x1})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:944 +0x847
github.com/spf13/cobra.(*Command).ExecuteC(0xc000004300)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(0xc000054000?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992 +0x19
main.main()
/home/runner/work/parlay/parlay/main.go:26 +0x1e

the deps.dev API contains interesting package and repository information for a small number of ecosystems, including Scorecard data. I have an open question that likely wants clarifying around the license for the data however.

We have a --debug flag, but need to add useful debug messages throughout the various commands being run.

The OpenSSF Scorecards project now has an API. Needs some discussion of how best to add Scorecard data to an SBOM.

Some conversation in the context of CycloneDX in the CycloneDX Slack. The new annotations in the upcoming v1.5 look like the best option.

While Parlay can be used as a CLI tool, it should also be possible to use it as a library. This isn't formalised at all yet however, or documented. This could be used in tools that build SBOMs to automatically enrich them at creation.

I have a minimal CycloneDX 1.4 SBOM that I'm trying to enrich:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:f3a24198-a2ef-492f-b122-a75453849d64",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "github.com/Masterminds/semver",
      "version": "v1.5.0",
      "purl": "pkg:golang/github.com/Masterminds/[email protected]"
    }
  ]
}

If I run it through parlay I get exactly what I put in:

cat my-sbom.json | parlay ecosystems enrich -
{"$schema":"http://cyclonedx.org/schema/bom-1.4.schema.json","bomFormat":"CycloneDX","specVersion":"1.4","serialNumber":"urn:uuid:f3a24198-a2ef-492f-b122-a75453849d64","version":1,"components":[{"type":"library","name":"github.com/Masterminds/semver","version":"v1.5.0","purl":"pkg:golang/github.com/Masterminds/[email protected]"}]}

The issue occurs in this function, which tries to split the namespace and name. Because of how packageurl formats from strings as it does here, this causes the purl.Namespace != "" condition to be hit, making the purl actually requested from the sbom pkg:golang/github.com/Masterminds:[email protected], which fails to resolve.

If I force the purl to pkg:golang/github.com/Masterminds/[email protected] enrichment works properly.

For supported ecosystems (Go, Python and npm) it would be nice to add the external reference to Snyk Advisor. Likely like so:

{
          "url": "https://snyk.io/advisor/golang/github.com/go-openapi/errors",
          "comment": "Snyk Advisor",
          "type": "other"
 }

Note this would not require API credentials.

The XML processing for a CycloneDX SBOM (v1.5) seems to destroy the XML namespaces:

parlay scorecard enrich bom.cdx.xml

The xmlns declaration for the CycloneDX namespace gets stripped:

<bom xmlns:ns0="http://cyclonedx.org/schema/bom/1.5" ...>

ends up as:

<bom xmlns="" ...>

Version:

./parlay -v
0.4.0

I run cat before_parlay.json | ./parlay ecosystems enrich -

on:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "1",
  "version": 1,
  "metadata": {
    "timestamp": "1496244605"
  },
  "component": {
    "name": "api",
    "type": "application"
  },
  "components": [
    {
      "type": "library",
      "name": "musl",
      "version": "1.2.3-r3",
      "purl": "pkg:apk/alpine/[email protected]?arch=x86_64"
    }
  ]
}

and the result is not enriched.
Here is the ecosyste.ms link

when I run cat before_parlay.json | ./parlay ecosystems enrich - | ./parlay snyk enrich -

on

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "1",
  "version": 1,
  "metadata": {
    "timestamp": "1496244605"
  },
  "component": {
    "name": "api",
    "type": "application"
  },
  "components": [
    {
      "type": "library",
      "name": "request",
      "version": "2.88.0",
      "purl": "pkg:npm/[email protected]"
    }
  ]
}

I get

{"bomFormat":"CycloneDX","specVersion":"1.3","serialNumber":"1","version":1,"metadata":{"timestamp":"1496244605"},"components":[{"type":"library","supplier":{"name":"request"},"author":"request","name":"request","version":"2.88.0","description":"Simplified HTTP request client.","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/[email protected]","externalReferences":[{"url":"https://github.com/request/request","type":"website"},{"url":"https://www.npmjs.com/package/request","type":"distribution"},{"url":"https://github.com/request/request","type":"vcs"}],"properties":[{"name":"ecosystems:first_release_published_at","value":"2011-01-22T00:36:12Z"},{"name":"ecosystems:latest_release_published_at","value":"2020-02-11T16:35:36Z"}]}],"vulnerabilities":null}

no vulnerabilities, even that this library has:
https://security.snyk.io/package/npm/request/2.88.0

In Windows and WSL, if you set an invalid token or no token, parlay snyk enrich command will just output the content of the input SBOM file without any error message so you have no idea what is going on. The command 'parlay snyk package' will result in the following error without a valid token in Windows but it will produce an error message "Must provide a SNYK_TOKEN environment variable" in WSL.

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x121ebaa]

goroutine 1 [running]:
github.com/snyk/parlay/lib/snyk.GetPackageVulnerabilities({{0xc00002013c, 0x3}, {0x0, 0x0}, {0xc000020140, 0x7}, {0xc000020148, 0x5}, {0x17085c0, 0x0, ...}, ...})
/home/runner/work/parlay/parlay/lib/snyk/package.go:56 +0x1ca
github.com/snyk/parlay/internal/commands/snyk.NewPackageCommand.func1(0xc000005500?, {0xc00017a4f0, 0x1?, 0x1?})
/home/runner/work/parlay/parlay/internal/commands/snyk/packages.go:24 +0x1b8
github.com/spf13/cobra.(*Command).execute(0xc000005500, {0xc00017a4b0, 0x1, 0x1})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:944 +0x847
github.com/spf13/cobra.(*Command).ExecuteC(0xc000004300)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(0xc000050000?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992 +0x19
main.main()
/home/runner/work/parlay/parlay/main.go:26 +0x1e

When looking up user info to infer a user’s org ID, the getSnykOrg function will happily carry on even after non-200 OK responses (e.g. for bad API tokens), resulting in a nil UUID, resulting in a runtime panic.

Getting the following error:
Failed to infer preferred Snyk organization error="Failed to get user info (401 Unauthorized)."

This is a suggestion to add support for github purl-type at snyk sbom enrichment of security vulnerabilities details.

Currently parlay only support CycloneDX. Implementing for SPDX would be useful, though not all information may be applicable to the SPDX spec.

It would be useful to have a GitHub Action for parlay, to make it easier to use as part of a pipeline. Speculating around the interface:

uses: snyk/parlay/action@v0
with:
  input: <some-sbom-path>
  enricher: snyk
  output: <new-sbom-path>

Parlay is an awesome tool, thank you very much for it.

Are there any plans to support CycloneDX specification 1.5? A lot of tools generate only the newest version and it would be great if Parlay could be used for these SBOMs as well.

# parlay ecosystems enrich testing/sbom.cyclonedx.xml
2:00PM FTL Input needs to be a valid CycloneDX SBOM error="invalid character '<' looking for beginning of value"

I'm trying to enrich sbom from your testing directory.

Hello,

So I have tried using the snyk enrichement on parlay, and no matter what type of SBOM that I provide it with, it always returns the value null, even if I use the example found in the blog post announcing parlay, I get the same result

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:f3a24198-a2ef-492f-b122-a75453849d64",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "subtext",
      "version": "6.0.12",
      "purl": "pkg:npm/[email protected]"
    }
  ],
  "vulnerabilities": null
}

For supported ecosystems it would be nice to add the external reference to the Snyk Vulnerability database. Likely like so:

{
"url": "https://security.snyk.io/package/pip/django",
"comment": "Snyk Vulnerability DB",
"type": "other"
}

Note this would not require API credentials.

Attempting to install v0.1.4 on a Mac (Apple M1 Max)

Installation docs show:

wget https://github.com/snyk/parlay/releases/download/v{version}/parlay_{version}_Darwin_arm64.tar.gz
tar -xvf parlay_{version}_Darwin_arm64.tar.gz

*Note that the v in download/v{version}/ should be removed resulting in download/v{version}/

Inserting a version (v0.1.4) results in the following commands:

wget https://github.com/snyk/parlay/releases/v0.1.4/parlay_v0.1.4_Darwin_arm64.tar.gz
tar -xvf parlay_v0.1.4_Darwin_arm64.tar.gz

This fails with the following response:

--2023-06-09 13:15:09--  https://github.com/snyk/parlay/releases/v0.1.4/parlay_v0.1.4_Darwin_arm64.tar.gz
Resolving github.com (github.com)... 192.30.255.112
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-06-09 13:15:10 ERROR 404: Not Found.

tar: Error opening archive: Failed to open 'parlay_v0.1.4_Darwin_arm64.tar.gz'

Replacing the first line of the command with the following results in a successful download of the file:

wget https://github.com/snyk/parlay/releases/tag/v0.1.4/parlay_v0.1.4_Darwin_arm64.tar.gz

But the command tar -xvf parlay_v0.1.4_Darwin_arm64.tar.gz or tar -xzf parlay_v0.1.4_Darwin_arm64.tar.gz results in an error:

tar: Error opening archive: Unrecognized archive format

I wasn't able to move the needle further with manual downloads or unzip attempts.