go list -deps fails when using AWS CDK with Golang due to template file issue

[norchen]

When using cdxgen with a codebase that includes AWS CDK and contains Golang code, the following error occurs:

1. Check if the correct version of golang is installed. Try building the application using go build or make command to troubleshoot.
2. If the application uses private go modules, ensure the environment variable GOPRIVATE is set with the comma-separated repo names.
Ensure $HOME/.netrc file contains a valid username and password for the private repos.
3. Alternatively, consider generating a post-build SBOM from the built binary using blint. Use the official container image and invoke cdxgen with the arguments `-t binary --lifecycle post-build`.
Manually parsing go.mod files. The resultant BOM would be incomplete.

After some local testing, I found that this issue is caused by an error in go list when it attempts to parse template files included in the aws-cdk NPM package. This can be reproduced within a CDK project as follows:

$ npm i
....
$ go list -deps ./...
package github.com/example-org/example-repo/node_modules/aws-cdk/lib/init-templates/app/go: invalid input file name "%name%.template.go"
package github.com/example-org/example-repo/node_modules/aws-cdk/lib/init-templates/sample-app/go: invalid input file name "%name%.template.go"

This issue has also been reported in the AWS CDK repository and is being discussed here: aws/aws-cdk#13971

Unfortunately, it is not possible to exclude certain subdirectories with native go tooling as discussed here: golang/go#42965

Is it an option to handle go before npm or deleting node_modules folder after the npm run in cdxgen or excluding certain directories?
Looking forward to your thoughts on this. Thanks!

[prabhu]

Have you tried running cdxgen with --exclude "**/node_modules/**". Can you share a small repo to reproduce this problem?

[norchen]

Thanks for having a look and your suggestion! We tried using the --exclude flag, but it doesn't seem to have an effect.

As I see in the code for go list -deps ./... (Ref) nothing will be excluded, which is understandable, since it is not possible to exclude certain subdirectories with native go tooling yet.

I will provide a small repo to reproduce the issue in the next few days.

[norchen]

Hey @prabhu
I uploaded a lightweight example for reproducing the issue: https://github.com/norchen/simple-cdk-ts-and-go-code-example

How to reproduce the issue locally

1. Check out this repository
2. Run npm install
3. Run cdxgen. I used the following command:

docker run --rm  -e CDXGEN_DEBUG_MODE=debug -e FETCH_LICENSE=true -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:latest -r /app -o /app/sbom.json

Actual behavior

The cdxgen log will contain the following:

...
Executing go list -deps in /app
go list -deps command has failed for /app
go: downloading github.com/aws/aws-lambda-go v1.47.0
package simple-cdk-ts-and-go-code-example/node_modules/aws-cdk/lib/init-templates/app/go: invalid input file name "%name%.template.go"
package simple-cdk-ts-and-go-code-example/node_modules/aws-cdk/lib/init-templates/sample-app/go: invalid input file name "%name%.template.go"

Executing go mod graph in /app
...

A thought about the node_modules folder

The actual SBOM is generated with the help of a GitHub action workflow. So there is no node_modules folder initially, when running the action (since it is not committed). But we experience this nonetheless even if there is no direct npm/node setup during our action run (maybe some runner's or cdxgen "magic" 🤔).

It would be lovely to have an option to exclude certain directories for go.
Thank a lot for taking a look on it!

[prabhu]

@norchen Thank you for the sample app. Can you send a PR based on the below instructions?

1. Change this line to process.env.CDXGEN_GO_PACKAGES || "./...",
2. Run cdxgen with export CDXGEN_GO_PACKAGES="./src/main.go"

git clone
pnpm install
node bin/cdxgen.js $(pwd)