Missing licenses and "skipping encoding of unsupported property: syft:metadata:goBuildSetting"

[mrtnbm]

What happened:
I've tried to analyze the jenkins 2.346 image with syft and I got a lot of warnings which stated "unable to convert relationship from CycloneDX 1.4 JSON" and "skipping encoding of unsupported property: syft:metadata:goBuildSetting". After analyzing the BOM, I noticed that some licenses where missing.

What you expected to happen:
All licenses are correctly displayed and no error messages pop up when analyzing the jenkins 2.346 image.

How to reproduce it (as minimally and precisely as possible):

1. Analyze and automatically pull the image with syft packages jenkins/jenkins:2.346 -vv -o cyclonedx-json=sbom.json
2. Analyze stdout and the sbom.

Anything else we need to know?:
log:

�[0;90m[0000]�[0m �[0;32m INFO�[0m syft version: 0.46.1
�[0;90m[0000]�[0m �[0;34mDEBUG�[0m application config:
�[35mverbosity: 2
quiet: false
output:
- cyclonedx-json=sbom-report-syft-new.json
file: ""
check-for-app-update: true
anchore:
  host: ""
  path: ""
  dockerfile: ""
  overwrite-existing-image: false
  import-timeout: 30
dev:
  profile-cpu: false
  profile-mem: false
log:
  structured: false
  level: debug
  file: ""
package:
  cataloger:
    enabled: true
    scope: Squashed
  search-unindexed-archives: false
  search-indexed-archives: true
file-metadata:
  cataloger:
    enabled: false
    scope: Squashed
  digests:
  - sha256
file-classification:
  cataloger:
    enabled: false
    scope: Squashed
file-contents:
  cataloger:
    enabled: false
    scope: Squashed
  skip-files-above-size: 1048576
  globs: []
secrets:
  cataloger:
    enabled: false
    scope: AllLayers
  additional-patterns: {}
  exclude-pattern-names: []
  reveal-values: false
  skip-files-above-size: 1048576
registry:
  insecure-skip-tls-verify: false
  insecure-use-http: false
  auth: []
exclude: []
attest:
  key: ""
  cert: ""
  no_upload: false
  force: false
  recursive: false
  replace: false
  fulcio_url: https://fulcio.sigstore.dev
  fulcio_identity_token: ""
  insecure_skip_verify: false
  rekor_url: https://rekor.sigstore.dev
  oidc_issuer: https://oauth2.sigstore.dev/auth
  oidc_client_id: sigstore
  oidc_redirect_url: ""
platform: ""
�[0m
�[0;90m[0000]�[0m �[0;34mDEBUG�[0m checking if new vesion of syft is available
�[0;90m[0000]�[0m �[0;34mDEBUG�[0m no new syft update available
�[0;90m[0000]�[0m �[0;34mDEBUG�[0m image: source=DockerDaemon location=jenkins/jenkins:2.346 �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m image metadata: digest=sha256:5c1acdaa7aa743273673a87dfe37a81236c0b88c3ad5f0761715545c32831d23 mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[jenkins/jenkins:2.346] �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=0 digest=sha256:a13c519c6361b881ba38a452d05e130fc2ee26f0849f119936d747b96cf6a5c3 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=1 digest=sha256:5e10d37dc0cd4c6978cfbd3640a108c68a6f3036975e44a6fa039ee2b4144812 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=2 digest=sha256:858cfcf4b9ff871f07a641bcc6c41787bf64cbaf8f1932055a9d2ec79c5900c9 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=3 digest=sha256:44fc0e532029a0f86941a3b610daea8027958e8486a61184dea7ad80d3cb413f mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=4 digest=sha256:5b2c0a93eff0d66ad70cf01ab67f01a3a299d845dda9f67633409caa89271682 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=5 digest=sha256:cfac37823b42869c6ebd7209c673dcdf4496268e6c7e38dd7f05095d024290d8 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=6 digest=sha256:dfd6d576f5834f059597f85f8c7d7aaa772ef1821571064da2b774b3a155301f mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=7 digest=sha256:ee19a8df754b0c3b4e5908c0fbd8ff3f50768f4fcbf66e0cf69427860a7d47dd mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0005]�[0m �[0;34mDEBUG�[0m layer metadata: index=8 digest=sha256:4f2496d361b49822f0efb7e7b8bdd262816297d1b161212d135bb047ea507129 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m layer metadata: index=9 digest=sha256:95de4f001086a283d30625bffa4bc5011b98832e700db95d98d097635bafd054 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m layer metadata: index=10 digest=sha256:ac96932111c53d10baf27ea67b0b227d70de6d0a44f20f53946613558e457ed0 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m layer metadata: index=11 digest=sha256:5bdfa9119ec5e4f27e31c97db4b1d0ab77d9862d2270e0434d308512a3e2e0d9 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m layer metadata: index=12 digest=sha256:e3a22aa684d3dbd0c12f2988fea604721aa97fc212b2e7b8995b1dcebe2dac05 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m layer metadata: index=13 digest=sha256:dee1aab7257d25d44506ccfcd7b0f7baa60e4e2a4773c0836e3ced497aa002a5 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m layer metadata: index=14 digest=sha256:b9c978b46c3f18bf3651d4dd9d45e8ce9870d2aeb4a02bf26ef8d7f786f18a12 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m layer metadata: index=15 digest=sha256:6581614953682c5e239e47092ec14c63f0d6c8b4a885709736ad7d14850f94bd mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m layer metadata: index=16 digest=sha256:fc40381a6c0bc459c1e0903dd0e139d52bd1c25290635bde6195b2e571f3929e mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip �[0;34mfrom-lib�[0m=stereoscope
�[0;90m[0006]�[0m �[0;32m INFO�[0m identified distro: Debian GNU/Linux 11 (bullseye)
�[0;90m[0006]�[0m �[0;32m INFO�[0m cataloging image
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m cataloging with "ruby-gemspec-cataloger"
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m discovered 0 packages
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m cataloging with "python-package-cataloger"
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m discovered 0 packages
�[0;90m[0006]�[0m �[0;34mDEBUG�[0m cataloging with "php-composer-installed-cataloger"
�[0;90m[0007]�[0m �[0;34mDEBUG�[0m discovered 0 packages
�[0;90m[0007]�[0m �[0;34mDEBUG�[0m cataloging with "javascript-package-cataloger"
�[0;90m[0007]�[0m �[0;34mDEBUG�[0m discovered 0 packages
�[0;90m[0007]�[0m �[0;34mDEBUG�[0m cataloging with "dpkgdb-cataloger"
�[0;90m[0007]�[0m �[0;34mDEBUG�[0m discovered 165 packages
�[0;90m[0007]�[0m �[0;34mDEBUG�[0m cataloging with "rpmdb-cataloger"
�[0;90m[0007]�[0m �[0;34mDEBUG�[0m discovered 0 packages
�[0;90m[0007]�[0m �[0;34mDEBUG�[0m cataloging with "java-cataloger"
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m discovered 292 packages
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m cataloging with "apkdb-cataloger"
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m discovered 0 packages
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m cataloging with "go-module-binary-cataloger"
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m discovered 26 packages
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m cataloging with "dotnet-deps-cataloger"
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m discovered 0 packages
�[0;90m[0010]�[0m �[0;33m WARN�[0m skipping encoding of unsupported property: syft:metadata:goBuildSettings
�[0;90m[0010]�[0m �[0;33m WARN�[0m skipping encoding of unsupported property: syft:metadata:goBuildSettings
�[0;90m[0010]�[0m �[0;33m WARN�[0m skipping encoding of unsupported property: syft:metadata:goBuildSettings
�[0;90m[0010]�[0m �[0;33m WARN�[0m skipping encoding of unsupported property: syft:metadata:goBuildSettings
[...]
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m unable to convert relationship from CycloneDX 1.4 JSON, dropping: {From:Pkg(name="adduser" version="3.118" type="deb" id="a124711c55c5b5ec") To:Location<RealPath="/etc/deluser.conf" Layer="sha256:a13c519c6361b881ba38a452d05e130fc2ee26f0849f119936d747b96cf6a5c3"> Type:contains Data:<nil>}
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m unable to convert relationship from CycloneDX 1.4 JSON, dropping: {From:Pkg(name="adduser" version="3.118" type="deb" id="a124711c55c5b5ec") To:Location<RealPath="/usr/sbin/adduser" Layer="sha256:a13c519c6361b881ba38a452d05e130fc2ee26f0849f119936d747b96cf6a5c3"> Type:contains Data:<nil>}
�[0;90m[0010]�[0m �[0;34mDEBUG�[0m unable to convert relationship from CycloneDX 1.4 JSON, dropping: {From:Pkg(name="adduser" version="3.118" type="deb" id="a124711c55c5b5ec") To:Location<RealPath="/usr/sbin/deluser" Layer="sha256:a13c519c6361b881ba38a452d05e130fc2ee26f0849f119936d747b96cf6a5c3"> Type:contains Data:<nil>}
[...]

Environment:

• Output of syft version:

Application:        syft
Version:            0.46.1
JsonSchemaVersion:  3.2.3
BuildDate:          2022-05-16T15:00:53Z
GitCommit:          03ee4fdf5e87907c5a49ae353c44682894bb411c
GitDescription:     v0.46.1
Platform:           linux/amd64
GoVersion:          go1.18.1
Compiler:           gc

• OS (e.g: cat /etc/os-release or similar):
  • WSL2 Ubuntu 22.04:

PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

[spiffcs]

Just ran this locally and confirmed we need to add support to the cyclonedxhelpers folder for the goBuildSettings

This could be a good first issue for anyone who is curious about how syft does the translation from its core data model into the different formats.

[kzantow]

Quick note: unable to convert relationship from CycloneDX... is not a warning, it's a DEBUG level message.

This issue is otherwise two separate issues and should be split up:

• support for map[string]string encoding/decoding for Syft properties (in CycloneDX) -- this is probably a nontrivial issue due to required reflection usage
• missing licenses in the output -- this is likely to be due to no license information being present, but further investigation is required here

[kzantow]

It also looks like the license ask may be a duplicate of: #229 -- what do you think?