Incomplete SBOM generated from Docker image

[robross0606]

I have a Docker image pulled down in a build environment as a TAR file. If I run cdxgen like this:

CDXGEN_DEBUG_MODE=debug cdxgen image.tar --recurse --type docker --output docker-sbom.json

The output shows this:

Extracting layer da9db072f522755cbeb85be2b3f84059b70571b229512f1571d9217b77e1087f.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer d59e90d04288228f49db6d89535feb4e7119f91e6346605068924a43f91d78f5.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer fade95fd4e412a8e7b8cbdc56b683cb03ed104395f143fa2dd33c144f164e674.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer c8c17737a2eb62f989f75fe20404da9526f294dcf155061823432b14949a0467.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer 64da33b24d1c26466b4a0fa43fcc678a7591fc196e45ca224ddec8db79548b1f.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer 9e15d49e748adaedb35e1f3d0e78faaf9601c032e22aab1594ac65adea8f84b0.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer 4abc45ac780dbc97e5a03777cb1ad5ff8deb2bac7b950788764395528ffceb01.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer 95dc58268930834bb28317de52b46caf2bef8e74efa468fc14cf08a0ddc55534.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer 67c15c0995ba4576492ac54223f1011871d8d7edcf53c32ab44c042ebb6ede4e.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer 27dd660ea80b2b4ba08be7efdebfc308470b7296d440dde24615f9f950c4ee5b.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer 8abbb724d0629b683f858e45f0d82c9263db315c2b0ed2c46b42c6172a9c5941.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer d2bf8ee318f405c6b67cbe839c3d7da873e38e9e42ec372bf679d32ae12d7acb.tar.gz to /tmp/docker-images-f6cxsw/all-layers
Extracting layer 32b6eabbeeef461bd61ef61939980974255101208d047faf31cba643070c9c8a.tar.gz to /tmp/docker-images-f6cxsw/all-layers
pathList [
  '/tmp/docker-images-f6cxsw/all-layers/usr/local/go',
  '/tmp/docker-images-f6cxsw/all-layers/usr/local/lib',
  '/tmp/docker-images-f6cxsw/all-layers/usr/local/lib64',
  '/tmp/docker-images-f6cxsw/all-layers/opt',
  '/tmp/docker-images-f6cxsw/all-layers/home',
  '/tmp/docker-images-f6cxsw/all-layers/usr/share',
  '/tmp/docker-images-f6cxsw/all-layers/usr/src',
  '/tmp/docker-images-f6cxsw/all-layers/var/www/html',
  '/tmp/docker-images-f6cxsw/all-layers/var/lib',
  '/tmp/docker-images-f6cxsw/all-layers/mnt',
  '/tmp/docker-images-f6cxsw/all-layers/usr/lib',
  '/tmp/docker-images-f6cxsw/all-layers/usr/lib64'
]
Found 0 OS packages at /tmp/docker-images-f6cxsw/all-layers
Scanning /tmp/docker-images-f6cxsw/all-layers/usr/local/go
Scanning /tmp/docker-images-f6cxsw/all-layers/usr/local/lib
Found 197 npm packages at /tmp/docker-images-f6cxsw/all-layers/usr/local/lib
Scanning /tmp/docker-images-f6cxsw/all-layers/usr/local/lib64
Scanning /tmp/docker-images-f6cxsw/all-layers/opt
Found 1 npm packages at /tmp/docker-images-f6cxsw/all-layers/opt
Scanning /tmp/docker-images-f6cxsw/all-layers/home
Scanning /tmp/docker-images-f6cxsw/all-layers/usr/share
Scanning /tmp/docker-images-f6cxsw/all-layers/usr/src
Parsing /tmp/docker-images-f6cxsw/all-layers/usr/src/app/package-lock.json
Unable to parse /tmp/docker-images-f6cxsw/all-layers/usr/src/app/package-lock.json without legacy peer dependencies. Retrying ...
Unable to parse /tmp/docker-images-f6cxsw/all-layers/usr/src/app/package-lock.json in legacy and non-legacy mode. The resulting SBOM would be incomplete.
Scanning /tmp/docker-images-f6cxsw/all-layers/var/www/html
Scanning /tmp/docker-images-f6cxsw/all-layers/var/lib
Scanning /tmp/docker-images-f6cxsw/all-layers/mnt
Scanning /tmp/docker-images-f6cxsw/all-layers/usr/lib
Scanning /tmp/docker-images-f6cxsw/all-layers/usr/lib64
Obtained 198 components and 1 dependencies after dedupe.
===== WARNINGS =====
[
  'Dependency tree is partial with multiple empty dependsOn attributes.'
]

The resulting SBOM file includes all the typical node base language dependencies but none of the actual dependencies from the project in /usr/src/app. So I'm left wondering what these two warnings mean:

Unable to parse /tmp/docker-images-f6cxsw/all-layers/usr/src/app/package-lock.json without legacy peer dependencies. Retrying ...
Unable to parse /tmp/docker-images-f6cxsw/all-layers/usr/src/app/package-lock.json in legacy and non-legacy mode. The resulting SBOM would be incomplete.

===== WARNINGS =====
[
  'Dependency tree is partial with multiple empty dependsOn attributes.'
]

[robross0606]

As a secondary question, is there a way to tell cdxgen to only scan specific directories in the Docker image?

[prabhu]

Found 0 OS packages at /tmp/docker-images-f6cxsw/all-layers - This means trivy wasn't invoked properly, possibly due to the missing cdxgen-plugins or a misconfigured CDXGEN_PLUGINS_DIR environment variable? Let's try to get this working first, before looking at your directory question.

[prabhu]

I have this PR going based on your investigation.

[prabhu]

Can you advise what directories to add to the path list here and how to pass additional directories?

[robross0606]

We upgraded to node-tar v7 recently, so could be a new behavior that is worth reporting upstream too.

Using strict would always cause warnings to error which would then kick out the extraction at that error. Warnings are handled by a "callback and continue" pattern. Errors cause the extraction to immediately fail. This is a fundamentally flawed use of node-tar. I don't believe changes in node-tar v7 caused this and, even if they did, that points to a deficiency in regression testing and cdxgen needs more thorough unit test coverage. This is a cdxgen problem. Not an upstream one.

I have this PR going based on your investigation.

I can provide a PR here. Yours doesn't look correct to me for multiple reasons.

Can you advise what directories to add to the path list here and how to pass additional directories?

I'm not sure what you're asking. First, no changes were needed at that location to get this working. Second, why would you be asking me how to pass additional directories when this is not my code base?

[robross0606]

I can provide a PR here. Yours doesn't look correct to me for multiple reasons.

Before we do a PR here, can we move this from a "discussion" ticket to a proper GitHub issue report?

[prabhu]

Issue 1511 created. Looking forward to the PR.

#1511