Read GitHub Dependency Graph SBOM format

[Shweta4398]

What happened:
I am trying to scan SBOM generated by Dependabot which is in SPDX format .

What you expected to happen:
I want to scan the sbom files generated for vulnerabilities .

How to reproduce it (as minimally and precisely as possible):

./grype reporting-service_sbom.json -o json       
[0001] ERROR failed to catalog: unable to decode sbom: sbom format not recognized
shweta.singh@MAC-C02D70NHMD6V SBOMscripts % ./grype reporting-service_sbom.json --output json
[0001] ERROR failed to catalog: unable to decode sbom: sbom format not recognized
shweta.singh@MAC-C02D70NHMD6V SBOMscripts % ./grype reporting-service_sbom.json --file-format spdx -o json --debug

unknown flag: --file-format
shweta.singh@MAC-C02D70NHMD6V SBOMscripts % ./grype reporting-service_sbom.json -o json --debug 

unknown flag: --debug
shweta.singh@MAC-C02D70NHMD6V SBOMscripts % ./grype reporting-service_sbom.json -o json        

[0000] ERROR failed to catalog: unable to decode sbom: sbom format not recognized
shweta.singh@MAC-C02D70NHMD6V SBOMscripts % ./grype reporting-service_sbom.json -o json

[0001] ERROR failed to catalog: unable to decode sbom: sbom format not recognized
shweta.singh@MAC-C02D70NHMD6V SBOMscripts % 

I want to run the SBOM on the sbom file generated.

Anything else we need to know?:

Environment:

• Output of grype version:
• OS (e.g: cat /etc/os-release or similar):

[popey]

Hi @Shweta4398 - thanks for the issue. Sorry to hear you're having troubles with running grype on an SBOM.

However, it's very difficult for us to diagnose the issue without an SBOM to look at.

How did you generate the SBOM?

Can you please link to the SBOM or upload it here, so we can examine it?

[Shweta4398]

Hello Popey!!

Sure I will upload it here . I have generated it through this :- 'https://api.github.com/repos/{owner}/{repo}/dependency-graph/sbom .

Below format!!

{
    "sbom": {
        "spdxVersion": "SPDX-2.3",
        "dataLicense": "CC0-1.0",
        "SPDXID": "SPDXRef-DOCUMENT",
        "name": "com.github.AppDirect/wmode-mqtt-broker",
        "documentNamespace": "https://spdx.org/spdxdocs/protobom/8482f8e2-fe17-4345-a4b2-1ba94269bf13",
        "creationInfo": {
            "creators": [
                "Tool: protobom-devel",
                "Tool: GitHub.com-Dependency-Graph"
            ],
            "created": "2025-02-03T07:55:01Z"
        },
        "packages": [
            {
                "name": "abbrev",
                "SPDXID": "SPDXRef-npm-abbrev-1.1.1-7b26ed",
                "versionInfo": "1.1.1",
                "downloadLocation": "NOASSERTION",
                "filesAnalyzed": false,
                "licenseConcluded": "ISC",
                "copyrightText": "Copyright (c) Isaac Z. Schlueter and Contributors, Copyright Isaac Z. Schlueter and Contributors",
                "externalRefs": [
                    {
                        "referenceCategory": "PACKAGE-MANAGER",
                        "referenceType": "purl",
                        "referenceLocator": "pkg:npm/[email protected]"
                    }
                ]
            },
            {
                "name": "acorn",
                "SPDXID": "SPDXRef-npm-acorn-7.4.1-d87ce5",
                "versionInfo": "7.4.1",
                "downloadLocation": "NOASSERTION",
                "filesAnalyzed": false,
                "licenseConcluded": "MIT",
                "copyrightText": "Copyright (c) 2012-2018 by various contributors",
                "externalRefs": [
                    {
                        "referenceCategory": "PACKAGE-MANAGER",
                        "referenceType": "purl",
                        "referenceLocator": "pkg:npm/[email protected]"
                    }
                ]
            },
            {
                "name": "acorn-jsx",
                "SPDXID": "SPDXRef-npm-acorn-jsx-5.3.2-41e328",
                "versionInfo": "5.3.2",
                "downloadLocation": "NOASSERTION",
                "filesAnalyzed": false,
                "licenseConcluded": "MIT",
                "copyrightText": "Copyright (c) 2012-2017 by Ingvar Stepanyan",
                "externalRefs": [
                    {
                        "referenceCategory": "PACKAGE-MANAGER",
                        "referenceType": "purl",
                        "referenceLocator": "pkg:npm/[email protected]"
                    }
                ]
            },
            {
                "name": "ansi-escapes",
                "SPDXID": "SPDXRef-npm-ansi-escapes-4.3.2-613322",
                "versionInfo": "4.3.2",
                "downloadLocation": "NOASSERTION",
                "filesAnalyzed": false,
                "licenseConcluded": "MIT",
                "copyrightText": "Copyright (c) Sindre Sorhus <[email protected]> (https://sindresorhus.com)",
                "externalRefs": [
                    {
                        "referenceCategory": "PACKAGE-MANAGER",
                        "referenceType": "purl",
                        "referenceLocator": "pkg:npm/[email protected]"
                    }
                ]
            },

wmode-mqtt-broker_sbom.json

[Shweta4398]

@popey ^^^

[popey]

Thanks for reporting this issue! I took a look at the SBOM you provided and I think I can see what's happening here.

The SBOM appears to be wrapped in an additional {"sbom": {...}} structure, which isn't part of the SPDX standard format. In fact, when I tried running this through a free online SPDX validator, it fails with "Missing document namespace" - likely because the actual SPDX content isn't at the root level where it's expected to be.

For comparison, a standard SPDX JSON format (like those produced by Syft) has the SPDX fields directly at the root level of the JSON document, like this:

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  ...
}

As a workaround, you can strip that outer wrapper with jq. This should produce a valid SPDX document that Grype can process.

jq '.sbom' wmode-mqtt-broker_sbom.json > unwrapped-wmode-mqtt-broker_sbom.json

Now grype understands the file, as it's in the correct format.

grype unwrapped-wmode-mqtt-broker_sbom.json
 ✔ Vulnerability DB                [updated]
 ✔ Scanned for vulnerabilities     [68 vulnerability matches]
   ├── by severity: 10 critical, 34 high, 22 medium, 2 low, 0 negligible
   └── by status:   64 fixed, 4 not-fixed, 0 ignored
[0085]  WARN attempted CPE search on AppDirect/actions/.github/workflows/cd.yml, which has no CPEs. Consider re-ru
[0085]  WARN attempted CPE search on AppDirect/actions/.github/workflows/dependency-review.yml, which has no CPEs.
[0085]  WARN attempted CPE search on com.github.AppDirect/wmode-mqtt-broker, which has no CPEs. Consider re-runnin
NAME                  INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY
ansi-regex            3.0.0      3.0.1     npm   GHSA-93q8-gq69-wqmw  High
ansi-regex            4.1.0      4.1.1     npm   GHSA-93q8-gq69-wqmw  High
bl                    0.8.2      0.9.5     npm   GHSA-wrw9-m778-g6mc  Medium
bl                    0.8.2      1.2.3     npm   GHSA-pp7h-53gx-mx7r  Medium
braces                2.3.2      3.0.3     npm   GHSA-grv7-fg5c-xmjg  High
...

Would you be able to try that and let me know if it resolves the issue? Let me know if you need any clarification or have questions!

[Shweta4398]

Thanks @popey ,

Thanks for the above solution it worked via terminal . Actually I am trying to update this in the script and having a hard luck .. !! Can you please help ??

Here's my function to get sbom

def get_sbom_for_repo_dependabot(owner, repo, access_token):
  url = f'[https://api.github.com/repos/{owner}/{repo}/dependency-graph/sbom](https://api.github.com/repos/%7Bowner%7D/%7Brepo%7D/dependency-graph/sbom)'
  headers = {'Authorization': f'token {access_token}'}
  response = requests.get(url, headers=headers)
  if response.status_code == 200:
    return response.json()
  else:
    print(f"Error fetching SBOM for {repo}: {response.status_code} {response.text}")
  return None

and write to file

def write_to_file(repo_data, filename):
  try:
    with open(filename, 'w') as file:
      json.dump(repo_data, file , indent=4)
      print(f"SBOM data written to {filename}")
    except Exception as e:
      print(f"Error writing SBOM data to {filename}: {e}")

And generate sbom for per repo

def generate_sbom_for_repos_dependabot(repos, owner, access_token):
  # sbom_data = []
  for repo in repos:
    repo_name = repo['name']
    if not is_repo_archived(owner, repo_name, access_token):
      sbom = get_sbom_for_repo_dependabot(owner, repo_name, access_token)
    if sbom:
      filename = f"{repo_name}_sbom.json"
    write_to_file(sbom, filename)

Can you suggest the changes to be made above ??

[kzantow]

Hey @Shweta4398, it looks like you're using Grype to scan a GitHub Dependency Graph SBOM. Unfortunately, we do not read those today, but Syft does generate these, so an enhancement would be to read them too. As such, I'm going to move this to the Syft repo and retitle it to better represent the ask. Thanks!