Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grype doesn't match u-boot in SBOM if type is set to firmware #2537

Open
SebastianKonplan opened this issue Mar 18, 2025 · 2 comments
Open
Labels
bug Something isn't working needs-discussion

Comments

@SebastianKonplan
Copy link

What happened: If a SBOM is passed with the component u-boot there is no match if the component type is set to firmware. If I change the type to application then the component is matched as expected.

What you expected to happen: Match independent from the type.

How to reproduce it (as minimally and precisely as [possible): grype sbom:u-boot.json

Environment:

  • Output of grype version:
    Application: grype
    Version: 0.89.1
    BuildDate: 2025-03-13T20:22:27Z
    GitCommit: 718ea30
    GitDescription: v0.89.1
    Platform: linux/amd64
    GoVersion: go1.24.1
    Compiler: gc
    Syft Version: v1.20.0
    Supported DB Schema: 6

  • OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.5 LTS

@SebastianKonplan SebastianKonplan added the bug Something isn't working label Mar 18, 2025
@SebastianKonplan
Copy link
Author

u-boot.json

@kzantow
Copy link
Contributor

kzantow commented Mar 31, 2025

Hey @SebastianKonplan, you are right, we currently are not importing firmware component types, e.g.

    {
      "bom-ref": "BomRef.7796056807905384.7566279929523666",
       ...
      "type": "firmware",
    }

You can see the decoding function here. We could probably make this more lenient to include firmware, I've added this to our weekly livestream to discuss.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs-discussion
Projects
Status: No status
Development

No branches or pull requests

2 participants