Description
What happened:
I have an dotnet core web application and want to create SBOMs for DTrack to get security warnings.
In my example I added an old version of System.Text.RegularExpressions directly to my project and created the SBOM with syft.
deps.json:
ToDoApi.deps.json
SBOM:
bom_runtime.zip
The DTrack reacts as expected and finds the security issue:
System.Text.RegularExpressions | 4.3.0 | NVD CVE-2019-0820 | High | OSS Index | 22 Nov 2023 |
But by analyzing my published application directory this library does not exist:
My application uses the runtime version of this library. In this case it is the Microsoft.NETCore.App.Runtime.linux-musl-x64 7.0.
But this mayor dependency is not part of the generated SBOM.
What you expected to happen:
I expect that only libraries are listed as dependencies that are used by my application.
In this case it should only be the Newtonsoft and Prometheus libraries.
- All framework libraries should not be part of the dependencies.
- The runtime version of the application should be part of the dependencies
A possible solution is described below.
Steps to reproduce the issue:
Create a basic .net web API and add some framework nuget packages in a problematic version eg: _System.Text.RegularExpressions | 4.3.0 _
Publish the project and run a syft scan on the output directory.
This issue happens most of the time by adding third party libraries that use these outdated framework libraries.
So a simple update of the lib normally not solves the "problem".
Anything else we need to know?:
I read and tested a lot in this context and it might be that I have a solution.
According to this description: https://github.com/dotnet/sdk/blob/main/documentation/specs/runtime-configuration-file.md the "targets" section might be the better part to evaluate the deps.json:
Each property under targets describes a "target", which is a collection of libraries required by the application when run or compiled in a certain framework and platform context. A target must specify a Framework name, and may specify a Runtime Identifier. Targets without Runtime Identifiers represent the dependencies and assets which are platform agnostic.
First of all the runtime version is part of the targets tree and could be used to create a component in the SBOM.
Further more all used libraries are listed below the runtime version element and only libraries that exist in the published folder have a "runtime" element inside.
Example entries:
I build a small tool that removed all libraries from the deps.json that have no runtime entry in the targets section and created the SBOM with the new file. This created a proper output in my opinion.
I am certainly not sure if my solution is valid.
I am actually quite irritated that there exist framework nuget packages that in my opinion are never used when added to a application.
Environment:
- Output of
syft version: 0.93.0 (because newer versions had another issue that prevented from working at all) - OS (e.g:
cat /etc/os-releaseor similar): Windows 10
Thanks for developing this tool and for help in this issue.
Metadata
Metadata
Assignees
Type
Projects
Status