Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems generating SBOM after upgrade to v11.x #1635

Open
esetea opened this issue Feb 14, 2025 · 3 comments
Open

Problems generating SBOM after upgrade to v11.x #1635

esetea opened this issue Feb 14, 2025 · 3 comments

Comments

@esetea
Copy link

esetea commented Feb 14, 2025
edited
Loading

Hi,

I am using cdxgen v10.9.11 in Java repositories that contains some internal dependencies. With this version of cdxgen, even though if I do not set the private credentials in the settings.xml, cdxgen generate an incomplete SBOM.

$ cdxgen --version
10.9.11
env | grep PREFER
PREFER_MAVEN_DEPS_TREE=false
env | grep CDX
CDX_MAVEN_INCLUDE_TEST_SCOPE=true
cdxgen --spec-version 1.5 .
Executing 'mvn -fn org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q' in /home/user/TestRepos/repo1
Executing 'mvn dependency:tree -DoutputFile=/tmp/cdxmvn-pE47ut/mvn-tree.txt' in /home/user/TestRepos/repo1

Falling back to parsing pom.xml files. Only direct dependencies would get included!
Executing 'mvn -fn org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q' in /home/user/TestRepos/repo1/artifact/jobs/REPO1-01-ES
Executing 'mvn dependency:tree -DoutputFile=/tmp/cdxmvn-hTavdr/mvn-tree.txt' in /home/user/TestRepos/repo1/artifact/jobs/REPO1-01-ES

Falling back to parsing pom.xml files. Only direct dependencies would get included!
Multiple errors occurred while building this project with maven. The SBOM is therefore incomplete!

$ cat bom.json
{"bomFormat":"CycloneDX","specVersion":"1.5", <...> "tools":{"components":[{"group":"https://github.com/CycloneDX","name":"cdxgen","version":"10.9.11","purl":"pkg:npm/%40cyclonedx/[email protected]","type":"application","bom-ref":"pkg:npm/@cyclonedx/[email protected]","author":"OWASP Foundation","publisher":"OWASP Foundation"}]},"authors":[{"name":"OWASP Foundation"}],"lifecycles":[{"phase":"build"}],"component":{"group":"","name":"repo1","version":"latest","type":"application","bom-ref":"pkg:gem/repo1@latest","purl":"pkg:gem/repo1@latest","components":[]},"properties":[{"name":"cdx:bom:componentTypes","value":"maven"},{"name":"cdx:bom:componentNamespaces","value":"org.hsqldb"}]},"components":[{"group":"org.hsqldb","name":"hsqldb","version":"2.0.0","purl":"pkg:maven/org.hsqldb/[email protected]?type=jar","type":"library","bom-ref":"pkg:maven/org.hsqldb/[email protected]?type=jar","evidence":{"identity":{"field":"purl","confidence":1,"methods":[{"technique":"manifest-analysis","confidence":1,"value":"/home/user/TestRepos/repo1/artifact/jobs/REPO1-01-ES/pom.xml"}]}},"properties":[{"name":"SrcFile","value":"/home/user/TestRepos/repo1/artifact/jobs/REPO1-01-ES/pom.xml"}]}],"services":[],"dependencies":[]}

However, if I use cdxgen 11.1.7 with PREFER_MAVEN_DEPS_TREE=false to use it the same way than previous version:

$ cdxgen --version
11.1.7
$ env | grep CDX
CDX_MAVEN_INCLUDE_TEST_SCOPE=true
CDX_MAVEN_PLUGIN=2.8.0
$ cdxgen --spec-version 1.5 .
Executing 'mvn -fn 2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q' in /home/user/TestRepos/repo1
Executing 'mvn dependency:tree -DoutputFile=/tmp/cdxmvn-VtMlTd/mvn-tree.txt' in /home/user/TestRepos/repo1

Falling back to parsing pom.xml files. Only direct dependencies would get included!
Executing 'mvn -fn 2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q' in /home/user/TestRepos/repo1/artifact/jobs/REPO1-01-ES
Executing 'mvn dependency:tree -DoutputFile=/tmp/cdxmvn-UPKvzb/mvn-tree.txt' in /home/user/TestRepos/repo1/artifact/jobs/REPO1-01-ES

Falling back to parsing pom.xml files. Only direct dependencies would get included!
Multiple errors occurred while building this project with maven. The SBOM is therefore incomplete!

$ cat bom.json
{"bomFormat":"CycloneDX","specVersion":"1.5",<...> "tools":{"components":[{"group":"https://github.com/CycloneDX","name":"cdxgen","version":"11.1.7","purl":"pkg:npm/%40cyclonedx/[email protected]","type":"application","bom-ref":"pkg:npm/@cyclonedx/[email protected]","author":"OWASP Foundation","publisher":"OWASP Foundation"}]},"authors":[{"name":"OWASP Foundation"}],"lifecycles":[{"phase":"build"}],"properties":[]},"components":[],"services":[],"dependencies":[]}

I have tried using --technique "manifest-analysis" with v11.1.7 but the result is the same.

The problem occurs even when I have a settings.xml with the credentials for the private repositories. With v10.x I get some internal components and with v11.x the SBOM is empty.

Can I reproduce exactly the same behavior in v11.x than I had in v10.x?
If not, are there some parameters that I am missing and can make it work?
@prabhu
Copy link
Collaborator

prabhu commented Feb 14, 2025

Check the env variable CDX_MAVEN_PLUGIN=2.8.0. This must be the full value of the plugin including the name. CDX_MAVEN_PLUGIN=org.cyclonedx:cyclonedx-maven-plugin:2.9.1

@esetea
Copy link
Author

esetea commented Feb 17, 2025

Hi,

I have tried with the full value, but I have the same empty result. I could not replicate the output from the v10.9.11 with any v11.x version.

@prabhu
Copy link
Collaborator

prabhu commented Feb 18, 2025

Can you share a sample project to reproduce the problem? We are short of contributors, so would also appreciate if you could debug further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prabhu @esetea