Open emcfins opened 1 month ago
@emcfins Have you tried running with -t python --deep
, since it appears like a Python project. We have some logic in place, where -t universal
would try to go broader rather than deeper into each language. You may have to run cdxgen from within a python virtual environment with all the packages installed for best results.
We are using the same tooling for multiple projects - we have a mix of projects of different languages and some projects are a mix of languages so we use -t universal
to cover all our requirements.
@emcfins have you tried without specifying any type?
Oh - no I haven't. I'll give that a shot. Thank you!
Not specifying didn't work. Unfortunately, that returned 4287 components
@aryan-rajoria could you kindly work with @emcfins, since this is false negatives?
So I did some digging. When I run cdxgen locally, I noticed the output:
Parsing /Users/erinmc/projects/aws_solutions/connected-mobility/Connected-mobility-solution-on-aws/source/modules/backstage/yarn.lock
About to fetch license information for 3237 packages in parseYarnLock
Found 4226 npm packages at .
Found 61 python packages at .
Found 0 ruby packages at .
Found 0 cpp packages at .
BOM includes 4287 components and 3979 dependencies after dedupe
BOM includes 4289 unfiltered components 3979 dependencies so far
BOM includes 4289 components and 3979 dependencies after dedupe
Is it possible that cdxgen is just looking for a single Pipfile rather than all Pipfiles?
@emcfins Nice find. I think it only looks for a single file and performs a single pipenv install.
https://github.com/CycloneDX/cdxgen/blob/4e6f8da04334fe6babd8fd627bf1b925e41b7749/index.js#L2473
https://github.com/CycloneDX/cdxgen/blob/4e6f8da04334fe6babd8fd627bf1b925e41b7749/index.js#L2625
@emcfins Let me know if you would like to sponsor or contribute this feature.
I'm happy to sponsor - what does it take?
When viewing the dependency graph for Connected Mobility Solution on AWS, it shows a total of 7,484. But when I clone the repo and run
CDXGEN_DEBUG_MODE=debug FETCH_LICENSE=true cdxgen -t universal --spec-version 1.4 -o bom.json
, the components section of the bom.json file, the components section only has 4289.For example, I find some dependencies missing from the sbom that are defined in the lock file here
What am I doing wrong?
Thank you