search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Google chat: https://chat.google.com/room/AAAA6l2dO60?cls=7
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
578 stars 156 forks source link

Getting "must NOT have additional properties" while generating sbom #485

Closed mikamp116 closed 1 year ago

mikamp116 commented 1 year ago

I am trying to generate a SBOM for a Java project and I get the following error:

Executing 'mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q' in /Users/****
Fallback to executing mvn dependency:tree -DoutputFile=/var/folders/ch/c299n4ss7cgcgt8fkdvnpvgh0000gn/T/cdxmvn-Kr5T5D/mvn-tree.txt
[
  {
    instancePath: '/metadata/component',
    schemaPath: '#/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'qualifiers' },
    message: 'must NOT have additional properties'
  }
]

I have executed the following command

cdxgen -t java

This looks very similar to the #443 issue

NodeJS version: 20.5.1 cdxgen version: 9.5.0

prabhu commented 1 year ago

@mikamp116 just pushed a fix. Could you test with the branch fix/fineract-subcomp?

git clone https://github.com/CycloneDX/cdxgen
git checkout fix/fineract-subcomp
npm install
node bin/cdxgen.js -t java -o bom.json <path>
mikamp116 commented 1 year ago

Hi @prabhu ,

Thank you for the quick answer, I just did and I get the following error:

node:internal/modules/esm/resolve:188
  const resolvedOption = FSLegacyMainResolve(packageJsonUrlString, packageConfig.main, baseStringified);
                         ^

Error: Cannot find package '/Users/{user}/repos/cdxgen/node_modules/connect/package.json' imported from /Users/{user}/repos/cdxgen/server.js
    at legacyMainResolve (node:internal/modules/esm/resolve:188:26)
    at packageResolve (node:internal/modules/esm/resolve:769:14)
    at moduleResolve (node:internal/modules/esm/resolve:831:20)
    at defaultResolve (node:internal/modules/esm/resolve:1036:11)
    at DefaultModuleLoader.resolve (node:internal/modules/esm/loader:251:12)
    at DefaultModuleLoader.getModuleJob (node:internal/modules/esm/loader:140:32)
    at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:76:33)
    at link (node:internal/modules/esm/module_job:75:36) {
  code: 'ERR_MODULE_NOT_FOUND'
}

Node.js v20.5.1

I don't know if it is a problem in the app or in my current setup.

Thanks

prabhu commented 1 year ago

@mikamp116 Not seen this error before (guessing npm install is ignoring optional dependencies?). What if we try installing globally?

git clone https://github.com/CycloneDX/cdxgen
git checkout fix/fineract-subcomp
npm install
sudo npm uninstall -g @cyclonedx/cdxgen
sudo npm install -g .
cdxgen -t java -o bom.json <path>

Alternatively, is there a public project to reproduce this?

mikamp116 commented 1 year ago

Awesome @prabhu that worked

I got rid of that error, but the execution keeps falling back from mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom to mvn dependency:tree, and this makes a mess in my Dependency Track instance.

Here is the output:

Executing 'mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q' in /Users/*****
Fallback to executing mvn dependency:tree -DoutputFile=/var/folders/ch/c299n4ss7cgcgt8fkdvnpvgh0000gn/T/cdxmvn-nrC912/mvn-tree.txt

Do you know why does the fallback happen and how to prevent it?

Thanks in advance

prabhu commented 1 year ago

@mikamp116 Can you invoke that mvn command and see if any errors are reported?

mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q

Successfully running this command must produce bom.json files in the target directory.

Our discord link in case you wish to share any logs privately - https://discord.gg/pF4BYWEJcS

mikamp116 commented 1 year ago

Of course, I already tried it this morning and suprisingly it is not reporting any error, just a warning, here is the output:

[INFO] -------------< ***-service-poc-app >-------------
[INFO] Building ***-service-poc-app 1.1.x.0-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- cyclonedx:2.7.9:makeAggregateBom (default-cli) @ ***-service-poc-app ---
[INFO] CycloneDX: Parameters
[INFO] ------------------------------------------------------------------------
[INFO] schemaVersion          : 1.4
[INFO] includeBomSerialNumber : true
[INFO] includeCompileScope    : true
[INFO] includeProvidedScope   : true
[INFO] includeRuntimeScope    : true
[INFO] includeTestScope       : true
[INFO] includeSystemScope     : true
[INFO] includeLicenseText     : false
[INFO] outputFormat           : all
[INFO] outputName             : bom
[INFO] outputReactorProjects  : true
[INFO] ------------------------------------------------------------------------
[INFO] CycloneDX: Resolving Dependencies
[INFO] CycloneDX: Creating BOM version 1.4 with 223 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): /{path}/***-service-poc-app/bom.xml
[INFO]            attaching as ***-service-poc-app-1.1.x.0-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): /{path}/***-service-poc-app/bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO]            attaching as ***-service-poc-app-1.1.x.0-SNAPSHOT-cyclonedx.json
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.209 s
[INFO] ------------------------------------------------------------------------

Note: I get this output when I run the command without the -q flag. If I attach that flag, the output is empty

Edit: thank you for the Discord link, I feel comfortable sharing the output via this channel

prabhu commented 1 year ago

@mikamp116 Is the output inside target directory since cdxgen searches only that directory right now.

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L1173

mikamp116 commented 1 year ago

Hi @prabhu ,

Sorry, I didn't understand your last message. Any clue on why the execution is falling back from mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom to mvn dependency:tree ?

prabhu commented 1 year ago

@mikamp116 Suspecting that makeAggregateBom is creating the bom json files in a non-standard directory. Can you share the full path to the generated files?

mikamp116 commented 1 year ago

Ofc

[INFO] ------------------------------------------------------------------------
[INFO] CycloneDX: Resolving Dependencies
[INFO] CycloneDX: Creating BOM version 1.4 with 181 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): /Users/mikamp116/sca/java-service-poc/java-service-poc-app/bom.xml
[INFO]            attaching as java-service-poc-app-1.1.x.0-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): /Users/mikamp116/sca/java-service-poc/java-service-poc-app/bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO]            attaching as java-service-poc-app-1.1.x.0-SNAPSHOT-cyclonedx.json

So it's not inside the /target folder

prabhu commented 1 year ago

Thanks @mikamp116 for confirming. Let me create a new ticket and share a PR to fix this.