Created
April 25, 2024 14:07
-
-
Save topiga/4d459e6a922c2f08fec5a211975316fb to your computer and use it in GitHub Desktop.
Tricy CycloneDX Duplicate Removal Tool. Fixes temporarily https://github.com/aquasecurity/trivy/issues/5796
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import argparse | |
| def remove_duplicates(json_data): | |
| for vulnerability in json_data['vulnerabilities']: | |
| affects = vulnerability['affects'] | |
| unique_affects = [] | |
| seen_refs = set() | |
| for affect in affects: | |
| ref = affect['ref'] | |
| if ref not in seen_refs: | |
| seen_refs.add(ref) | |
| unique_affects.append(affect) | |
| vulnerability['affects'] = unique_affects | |
| return json_data | |
| def main(): | |
| parser = argparse.ArgumentParser(description='Fix CycloneDX file by removing duplicate items in the "affects" array.') | |
| parser.add_argument('--input', dest='input_file', required=True, help='Path to the input CycloneDX file') | |
| parser.add_argument('--output', dest='output_file', required=True, help='Path to the output fixed CycloneDX file') | |
| args = parser.parse_args() | |
| try: | |
| with open(args.input_file, 'r') as file: | |
| cyclonedx_data = json.load(file) | |
| except FileNotFoundError: | |
| print(f'Error: input file "{args.input_file}" not found') | |
| return | |
| except json.JSONDecodeError as e: | |
| print(f'Error: invalid JSON format in input file "{args.input_file}"') | |
| print(f'JSON error: {str(e)}') | |
| return | |
| updated_data = remove_duplicates(cyclonedx_data) | |
| try: | |
| with open(args.output_file, 'w') as file: | |
| json.dump(updated_data, file, indent=2) | |
| except IOError as e: | |
| print(f'Error: failed to write output file "{args.output_file}"') | |
| print(f'IO error: {str(e)}') | |
| return | |
| print(f'Fixed CycloneDX data written to "{args.output_file}"') | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trivy CycloneDX Duplicate Removal Tool
This Python script helps fix CycloneDX files by removing duplicate items in the "affects" array within the "vulnerabilities" section.
The CycloneDX specification requires that the "affects" array contains unique items. However, Trivy can generate CycloneDX SBOMs with duplicate dependencies in the "affects" array. This causes validation against the CycloneDX JSON schema to fail.
This tool addresses the issue by iterating over each vulnerability in the "vulnerabilities" array, identifying duplicate items in the "affects" array based on the "ref" value, and keeping only the unique items.
Usage:
python script.py --input input.json --output output.json
--input: Path to the input CycloneDX file (required)--output: Path to the output fixed CycloneDX file (required)The script will read the input CycloneDX file, remove duplicate items in the "affects" array, and write the fixed data to the output file. It includes error handling for file not found, invalid JSON format, and I/O errors.
By using this tool, you can ensure your CycloneDX files are valid and can be properly parsed by other tools that consume CycloneDX SBOMs. It helps maintain the integrity and accuracy of your software bill of materials.