search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server.
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
580 stars 156 forks source link

[BUG] cdxgen -o bom.json returns error with node 18.20.5 #1456

Open vinkobedek opened 4 hours ago

vinkobedek commented 4 hours ago

Hi,

When I run this command "cdxgen -o bom.json with node 18.20.5 it fails with the following. Cdxgen version is 0.11.0.

The error is as follows:

Unable to parse trivy-main/pkg/fanal/analyzer/language/nodejs/npm/testdata/sad/package-lock.json without legacy peer dependencies. Retrying ...
node:internal/errors:496
    ErrorCaptureStackTrace(err);
    ^

TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string. Received undefined
    at new NodeError (node:internal/errors:405:5)
    at validateString (node:internal/validators:162:11)
    at join (node:path:429:7)
    at file:///C:/Users/vinko.bedek/AppData/Roaming/nvm/v18.20.5/node_modules/@cyclonedx/cdxgen/binary.js:111:25
    at ModuleJob.run (node:internal/modules/esm/module_job:195:25)
    at async ModuleLoader.import (node:internal/modules/esm/loader:337:24)
    at async loadESM (node:internal/process/esm_loader:34:7)
    at async handleMainPromise (node:internal/modules/run_main:106:12) {
  code: 'ERR_INVALID_ARG_TYPE'

Works with node 18.20.4 and works with the latest node 22, 18.20.5 seems to be problematic. Could very well be a node issue, but we are not experiencing any other issues in our codebase.

Any help is appreciated.

prabhu commented 3 hours ago

We are node>=20 for a while now.

https://github.com/CycloneDX/cdxgen/blob/master/package.json#L59