UNCLASSIFIED - NO CUI

Skip to content

SBOMs from Iron Bank images are invalid

Summary

CycloneDX-formatted SBOMs either downloaded directly from Iron Bank images or generated locally (either with Syft or Trivy) fail to validate against the official cyclonedx-cli.

Additionally, SPDX SBOMs from Iron Bank fail too, but locally generated ones appear to be fine? I only checked this against 1 container: ArgoCD.

Steps to reproduce

  1. Download an SBOM from Iron Bank or generate one locally with syft "$IMAGE_NAME" -o cyclonedx-json --file "$OUTPUT_FILE"
  2. Attempt SBOM validation with cyclonedx validate --input-format json --input-version v1_4 --fail-on-errors --input-file "$OUTPUT_FILE"

Generating SBOMs for non-IB images appears to work fine.

What is the current bug behavior?

Validation fails. The exact point of failure changes with locally generated files, but Iron Bank's SBOMS fail with this:

Validating JSON BOM...
Validation failed: 
#
BOM is not valid.

What is the expected correct behavior?

Validating JSON BOM...
BOM validated successfully.

Possible fixes

It may be possible to run older versions of Syft/Trivy to generate a "valid" SBOM, but this may be due to newer versions adding better scanning and the new scans may be finding issues that weren't seen before. The most recent version found to work for Syft is 0.72.0 released Feb 16th. The fact that the SBOMs are valid on the latest versions of Syft/Trivy for non-IB images leads us to believe the issue is with the IB images.

Tasks

  • Bug has been identified and corrected within the container(s)

Please read the Iron Bank Documentation for more info

UNCLASSIFIED - NO CUI