fix: purl go binary replace SPDX-SBOM might not work with other scanners #4025
Description
What happened:
We use buildkit to create our images using the "--sbom=true" parameter. Buildkit uses syft as the default image scanner during the build process and attaches the SPDX-SBOM to the image-metadata. Later we fetch the attached SPDX-SBOM and scan it using trivy. Trivy then throws an error:
"run error: sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to unmarshal spdx: package parse error: failed to parse package: external references error: failed to parse purl from string: purl is missing name"
Interestingly syft and grype both can use the syft generated SBOM to scan for vulnerabilities. When generating the SBOM using trivy, it can also scan it. The issue happens when the SBOM is generated using syft and then scanned by trivy.
I'm not sure whether the issue is with the SBOM generation using syft or the unmarshalling using trivy. Either way, for one dependency in this specific image one dependency. The image is quay.io/jetstack/cert-manager-cainjector:v1.18.1
I tracked it down to these lines. When removing this specific package the scan works. I suspect the name "../../" is the culprit:
"packages": [
{
"SPDXID": "SPDXRef-Package-go-module-..-..--092e20139a1cd63d",
"copyrightText": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:golang/../../@(devel)",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "../../",
"sourceInfo": "acquired package info from go module information: /app/cmd/cainjector/cainjector",
"supplier": "NOASSERTION",
"versionInfo": "(devel)"
}
What you expected to happen:
When using syft with buildkit as the default SBOM-generator it should produce a SPDX-SBOM that can also be scanned using trivy. The SBOM should contain valid package names.
Steps to reproduce the issue:
Using syft:
syft quay.io/jetstack/cert-manager-cainjector:v1.18.1 --output spdx-json=sbom-spdx.json
trivy sbom sbom-spdx.json
INFO [vuln] Vulnerability scanning is enabled
INFO Detected SBOM format format="spdx-json"
FATAL Fatal error run error: sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to unmarshal spdx: package parse error: failed to parse package: external references error: failed to parse purl from string: purl is missing nameUsing buildkit with underlying syft scanner:
echo "FROM quay.io/jetstack/cert-manager-cainjector:v1.18.1" | docker buildx build -t ttl.sh/cainjector-spdx-sbom-issue:latest --sbom=true --push=true .
docker buildx imagetools inspect ttl.sh/cainjector-spdx-sbom-issue:latest --format "{{ json .SBOM.SPDX }}" > sbom-spdx.json
trivy sbom sbom-spdx.json
INFO [vuln] Vulnerability scanning is enabled
INFO Detected SBOM format format="spdx-json"
FATAL Fatal error run error: sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to unmarshal spdx: package parse error: failed to parse package: external references error: failed to parse purl from string: purl is missing nameAnything else we need to know?:
Environment:
- Output of
syft version: 1.27.0 - OS (e.g:
cat /etc/os-releaseor similar): MacOS 15.5 (24F74) - trivy version:
Version: 0.63.0
Vulnerability DB:
Version: 2
UpdatedAt: 2025-06-25 00:33:18.040989264 +0000 UTC
NextUpdate: 2025-06-26 00:33:18.040988993 +0000 UTC
DownloadedAt: 2025-06-25 06:39:04.658188 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2025-06-24 02:47:33.831692366 +0000 UTC
NextUpdate: 2025-06-27 02:47:33.831692045 +0000 UTC
DownloadedAt: 2025-06-24 12:54:41.974587 +0000 UTC