search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
476 stars 137 forks source link

How to create a sbom for a golang project. #1032

Open MohammedAziz02 opened 1 month ago

MohammedAziz02 commented 1 month ago

@prabhu, I tried to create a sbom for a golang project using : cdxgen -t golang -o sbom.json --spec-version 1.4, but the sbom result have an empty list dependencies. how to fix this issue? the file go.sum exists.

prabhu commented 1 month ago

@MohammedAziz02 questions could be discussions or slack/discord messages. I would always suggest running cdxgen with CDXGEN_DEBUG_MODE=debug environment variable. Depending on the project, the correct build tools have to be installed. You can verify that the environment is working well by attempting to build the projects.

The cdxgen container image which bundles many build tools and libraries can be a bit simpler, but may not work for all cases.

MohammedAziz02 commented 1 month ago

I have all the tools installed also the environment is working well, i tried to build the project, it's works fine, also there is no error message when activate the debug mode. is there any other options ? thank you in advance.

prabhu commented 1 month ago

Can you share the output? Do you see the commands go mod graph and go list -deps being executed? Is this on Windows or Linux?

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L3026 https://github.com/CycloneDX/cdxgen/blob/master/index.js#L2982

MohammedAziz02 commented 1 month ago

artifactSBOM.json I'm using MacOS, and also the commands go mod graph and go list -deps are executed correctly without errors.

prabhu commented 1 month ago

Can you reproduce the issue with any public repo?