search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Google chat: https://chat.google.com/room/AAAA6l2dO60?cls=7
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
578 stars 156 forks source link

[Go] cdxgen doesn't fallback into manual parsing of go.mod files #251

Closed WDN2010 closed 1 year ago

WDN2010 commented 1 year ago

Hi! Cdxgen version 5.4.3+ returns no result if go environment is not available. Previous versions are able to fallback to manual parsing of go.mod file

Current result (version 8.1.4):

SCAN_DEBUG_MODE=debug cdxgen -r -t universal -o bom.json .
<...>
Parsing /home/wdn2010/myproject/cron/test/go.sum
Parsing /home/wdn2010/myproject/cron/test2/go.sum
Parsing /home/wdn2010/myproject/go.sum
Executing go list -deps in /home/wdn2010/myproject/cron/test
null null
go unexpectedly didn't return any output
Executing go list -deps in /home/wdn2010/myproject/cron/test2
null null
go unexpectedly didn't return any output
Executing go list -deps in /home/wdn2010/myproject
null null
go unexpectedly didn't return any output
Attempting to detect required packages using "go mod why" command for 0 packages
Required packages: 0
BoM includes 0 components and 0 dependencies after dedupe
BOM includes 0 unfiltered components 0 dependencies so far
BoM includes 0 components and 0 dependencies after dedupe

Expected result (version 5.4.2):

SCAN_DEBUG_MODE=debug cdxgen -r -t universal -o bom.json .
<...>
Parsing /home/wdn2010/myproject/cron/test/go.sum
Parsing /home/wdn2010/myproject/cron/test2/go.sum
Parsing /home/wdn2010/myproject/go.sum
Executing go list -deps in .
null null
go unexpectedly didn't return any output
Manually parsing go.mod files. The resultant BoM would be incomplete.
Parsing /home/wdn2010/myproject/cron/test/go.mod
Parsing /home/wdn2010/myproject/cron/test2/go.mod
Parsing /home/wdn2010/myproject/go.mod
Found 161 go packages at .
BoM includes 161 components
NOTE: To sign this SBoM for authenticity, set the environment variables SBOM_SIGN_ALGORITHM and SBOM_SIGN_PRIVATE_KEY
BOM file written to bom.json
prabhu commented 1 year ago

@WDN2010, any oss repo to reproduce this issue?

WDN2010 commented 1 year ago

Any trending go project should work. For example, https://github.com/hashicorp/terraform returns 185 go components for 5.4.2 vs 0 components for 8.1.4

prabhu commented 1 year ago

Thanks @WDN2010 for the help. Please use version 8.1.5, which includes the fix.

loschakov commented 1 year ago

Hi! I have the same things. I use 9.8.3 version. I tried use previous versions 8.1.5 and 8.6.0 but same result

SCAN_DEBUG_MODE=debug cdxgen -r -t universal -o bomm.json
Scanning .
Performing babel-based package usage analysis with source code at .
Executing go list -deps in /products
go unexpectedly didn't return any output
Attempting to detect required packages using "go mod why" command for 0 packages
Required packages: 0
Manually parsing go.mod files. The resultant BoM would be incomplete.
Parsing /products/go.mod
Found 0 csharp packages at .
BoM includes 0 components and 0 dependencies after dedupe
BOM includes 0 unfiltered components 0 dependencies so far
BoM includes 0 components and 0 dependencies after dedupe
===== WARNINGS =====
[ 'metadata.component is missing.' ]
prabhu commented 1 year ago

@loschakov, is go installed? Could you share the output from go list -deps ?

loschakov commented 1 year ago

I installed go and it works. Thank you