Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"bom map" only prints an error, but doesn't exit with failure on internal mapping issue #117

Open
gernot-h opened this issue Jan 13, 2025 · 0 comments · May be fixed by #119
Open

"bom map" only prints an error, but doesn't exit with failure on internal mapping issue #117

gernot-h opened this issue Jan 13, 2025 · 0 comments · May be fixed by #119

Comments

@gernot-h
Copy link
Collaborator

In one SW360 instance, we have a release with a somehow invalid version number "libffi 3.4.4._ME-1". This can't be parsed and leads to an error message during "bom map":

CaPyCli, 2.6.0 - Map a given SBOM to data on SW360

Loading SBOM file ../distro-clearing-alpine/issue193-bom.json
  Analyzing token...
  Token will expire on 2025-03-02 12:33:33
  Checking access to SW360...
No cached releases available!

Do mapping...
[...]
  libc-dev, 0.7.2-r5.alpine
    Found component 5ed9713fcf264070b9c5a0210cb56264 via purl
  libedit, 20230828.3.1-r3.alpine
    Found component bc75c910ca9866886cb4d7b3a30150aa via purl
  libffi, 3.4.4-r3.alpine
Unable to parse version 3.4.4._ME-1
    Error mapping SBOM item: AttributeError("'ComparableVersion' object has no attribute 'parts'")
  libgcrypt, 1.10.3-r0.alpine
    Found component 184653f661036675f8006a0d610027c8 via purl
  libgpg-error, 1.47-r2.alpine
    Found component 184653f661036675f8006a0d61003b73 via purl
[...]

Mapping result:
[...]
  Full match by id, libc-dev, 0.7.2-r5.alpine => Alpine libc-dev, 0.7.2-r5.alpine, 0d0917631bb2482ca430db5a2bcbf77a
  Full match by id, libedit, 20230828.3.1-r3.alpine => libedit, 20230828.3.1-r3.alpine, 452eee928932470cb47d8d960f45a9f6
  Full match by id, libgcrypt, 1.10.3-r0.alpine => libgcrypt, 1.10.3-r0.alpine, 50828e14cfba43f8b3052c88b576897e
  Full match by id, libgpg-error, 1.47-r2.alpine => libgpg-error, 1.47-r2.alpine, b1cd886da5fb4cf1b3dbc1db679664ea
[...]
Total releases    = 40
  Full matches    = 40
  Name matches    = 0
  Similar matches = 0
  No match        = 0

Writing updated SBOM to test-out.json

So the user is informed with a yellow "Error" message somewhere in the long output, but it's not mentioned in the summary at the end, CaPyCli will finish with exit code 0. And even worse, the component will be missing completely from test-out.json.

Basically, https://github.com/sw360/capycli/blob/v2.6.0/capycli/common/comparable_version.py#L33 will consume the exception, print the error and then forget about it.

As we often map large SBOMs in CI, this error in the longish output can easily go unnoticed (and did for us, for about 3 months, affecting a couple of projects).

This is not about just fixing the error in the version string parsing (I will create a separate issue/PR for this), but I'd like to improve the error handling here. Some ideas:

  • Bail out with an error message immediately if we see an exception.
  • Remember the error and set exit code at the end.
  • At least assure that the component stays in the output BOM.

What do you think, @tngraf?
gernot-h added a commit that referenced this issue Jan 14, 2025
@gernot-h
fix: avoid bom map losing releases due to inconsistent SW360 data
e300cb6 
In case of paring errors in the version number, an empty
ComparableVersion object was created, leading to an exception in release
sorting in map_bom_item_no_cache(). This was caught by the caller
map_bom_to_releases(), but lead to this component being missing
completely from the output BOM.

This fixes the obvious part of #117. However, I still think that the
catch-all exception handling in map_bom_to_releases() should be
re-considered.
@gernot-h gernot-h linked a pull request Jan 14, 2025 that will close this issue
Open
gernot-h added a commit that referenced this issue Jan 14, 2025
@gernot-h
fix: avoid bom map losing releases due to inconsistent SW360 data
e6f6530 
In case of paring errors in the version number, an empty
ComparableVersion object was created, leading to an exception in release
sorting in map_bom_item_no_cache(). This was caught by the caller
map_bom_to_releases(), but lead to this component being missing
completely from the output BOM.

This fixes the obvious part of #117. However, I still think that the
catch-all exception handling in map_bom_to_releases() should be
re-considered.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix bug triggering #117, leading to loosing components during "bom map" sw360/capycli
1 participant
@gernot-h