Uploading dependency snapshot is not working because of PURL containing backslash

[KimBartikowski5337]

What happened:
The step Uploading workflow artifacts resulted in an error.
The error message contains the following:

Warning: Error uploading depdendency snapshot: {
[...]
"message": "invalid package url: in manifest \"[..].ecr.eu-central-1.amazonaws.com/akhq:latest:/bin/busybox\" decoding \"\": scheme is missing",
[..]
}

What you expected to happen:
Upload of the dependency snapshot is successful.

Steps to reproduce the issue:

• Use an container image as input to be scanned which contains busybox as a library e.g. alpine as base image

Environment:

• syft version: 0.76.0

Do you have any idea whether this is a misconfiguration or is this maybe a bug?

[mortenhauberg]

I am facing the same issue using this workflow

name: Testing
on: [push]
jobs:
   SBOM:
     runs-on: ubuntu-latest
     steps:
        - uses: actions/checkout@v3
        - name: SBOM
          uses: anchore/sbom-action@v0
          with:
            image: *******
            registry-username: ${{ secrets.DOCKER_LOGIN }}
            registry-password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
            output-file: "sbom.spdx.json"
            dependency-snapshot: true
            artifact-name: "sbom.spdx.json"

[kzantow]

@KimBartikowski5337 I don't believe this is a configuration issue but rather a situation where a backslash may not be properly escaped. The PURL spec doesn't specifically mention backslashes: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#character-encoding, but I'd need to see exactly what PURL is generated and how it's encoded in JSON.

Do either of you, @KimBartikowski5337 or @mortenhauberg happen to have a public image that exhibits this behavior?

[mortenhauberg]

I've tried with

• node:lts-alpine3.17
• php:8.2-alpine3.16
• golang:alpine3.17
• python:alpine3.17
• alpine:latest

Looks like it's any alpine images.

Please let me know if there's anything else I can do to help

[kzantow]

Hi all -- I've had a bit of a look at this and from what I can tell, the only thing Syft is doing (for example with alpine:latest) is encoding the ampersand (&) in the purl to \u0026. I believe this is valid JSON and I'm a little confused why this is failing to be processed by GitHub, maybe it's an issue on their end?

As a workaround, I've made a change to the GitHub exporter that hopefully solves the problem for you: anchore/syft#1782

[kzantow]

Hi @KimBartikowski5337 @mortenhauberg -- would you be able to try v0.14.2? I've updated Syft to not escape HTML characters for the GitHub output, which I think should fix this problem for you. From what I could tell, the only backslashes were due to escaping HTML characters to JSON escape sequences. The update to Syft v0.80.0 adjusts this behavior so this escaping does not happen. As far as I could tell, this is a GitHub issue if it cannot accept escaped sequences in JSON, but it would be great to verify this change in behavior fixes things for you!

[mortenhauberg]

      - name: Generate SBOM
        uses: anchore/sbom-action@v0.14.2
        with:
          image: 'php:8.2-alpine3.17'
          output-file: sbom.spdx.json
          dependency-snapshot: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
          artifact-name: sbom.spdx.json
          format: spdx-json

is giving me

------------------------- Uploading workflow artifacts -------------------------
/tmp/sbom-action-hLK3US/sbom.spdx.json
Uploading GitHub dependency snapshot from /tmp/sbom-action-hLK3US/github.sbom.json
Warning: Error uploading depdendency snapshot: {
  "url": "https://api.github.com/repos/**********/dependency-graph/snapshots",
  "status": 422,
  "headers": {
    "access-control-allow-origin": "*",
    "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset",
    "connection": "close",
    "content-length": "244",
    "content-security-policy": "default-src 'none'",
    "content-type": "application/json; charset=utf-8",
    "date": "Mon, 08 May 2023 05:24:03 GMT",
    "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
    "server": "GitHub.com",
    "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
    "vary": "Accept-Encoding, Accept, X-Requested-With",
    "x-content-type-options": "nosniff",
    "x-frame-options": "deny",
    "x-github-api-version-selected": "2022-11-28",
    "x-github-media-type": "github.v3; format=json",
    "x-github-request-id": "A00D:089D:43009A:8BC06B:64588773",
    "x-ratelimit-limit": "100",
    "x-ratelimit-remaining": "99",
    "x-ratelimit-reset": "1683523503",
    "x-ratelimit-resource": "dependency_snapshots",
    "x-ratelimit-used": "1",
    "x-xss-protection": "0"
  },
  "data": {
    "message": "invalid package url: in manifest \"php:8.2-alpine3.17:/bin/busybox\" decoding \"\": scheme is missing",
    "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository"
  }
}

[JannickKemming1997]

Hi @kzantow, I've tested v0.14.2 on behalf of @KimBartikowski5337 since we're on the same team. Sadly, we're also getting the same result as Morten:

"message": "invalid package url: in manifest \"[...].ecr.eu-central-1.amazonaws.com/akhq:latest:/bin/busybox\" decoding \"\": scheme is missing"

[LennardWesterveld]

Using the latest version of syft fixed it for me:

      - uses: anchore/sbom-action@v0.14.3
        with:
          syft-version: v0.92.0

[JannickKemming1997]

Can confirm it's working now, thank you very much! I suggest we close this issue.

[KimBartikowski5337]

As @LennardWesterveld wrote, using the more recent syft version (v0.92.0) fixed the problem.

[vaidik]

I dont think this problem is resolved. In the comment from @LennardWesterveld , the code example does not set dependency-snapshot to true. In that case, this action does not try to upload the dependencies to Github. Hence the PURL backslash error is not coming up. I tried using the latest version of syft and sbom-action, I am still facing this issue.

[kzantow]

Apologies for the delay here.

I've tried this again with the latest release and latest on main, and these both seem to work properly with the images noted in this issue. Perhaps there was some change on the GitHub side which temporarily altered the submission processing, but you are able to see success for example here using php:8.2-alpine3.16. I've had a more detailed look at what Syft is generating, and the only thing I can see that would return this error can be seen in this snippet (the strings starting with php:8.2:

  "manifests": {
    "php:8.2-alpine3.17:/lib/apk/db/installed": {
      "name": "php:8.2-alpine3.17:/lib/apk/db/installed",
      "file": {
        "source_location": "php:8.2-alpine3.17:/lib/apk/db/installed"
      },  
      "metadata": {
        "syft:filesystem": "sha256:63d7bb5a8298b67ec1b6e29f3e26cbda5591e499f85b40b2080561eaebe4add6"
      },    
      "resolved": {
        "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0": {
          "package_url": "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.5",      
          "relationship": "direct",
          "scope": "runtime",
          "dependencies": [
            "pkg:apk/alpine/alpine-baselayout@3.4.0-r0"
          ]
        },
        "pkg:apk/alpine/alpine-baselayout@3.4.0-r0": {
     ...

However, note that according to the documentation, none of the fields starting with "php:8.2 are supposed to be package URL fields, only the package_url fields are.

As far as I can tell, the sbom-action is doing the right thing (and seems to be working fine currently). If anyone continues to have issues, please provide as much information as you can for us to be able to reproduce the problem.