Open robertlagrant opened 1 year ago
"Subject" just refers to the metadata.component
element of the BOM. metadata.component
should be populated by every SBOM generator per default. It will have the details of the project you generated the SBOM for.
The reason for this requirement is that you can't create a hierarchical structure out of two things that do not have an identity themselves.
Thanks - I can try and add it in manually. Now I know what to look for, I can see the NPM tool does it, but the Python tool doesn't.
The Python metadata:
% cat cyclonedx.json | jq '.["metadata"]'
{
"timestamp": "2023-03-09T09:45:00.033550+00:00",
"tools": [
{
"vendor": "CycloneDX",
"name": "cyclonedx-bom",
"version": "3.11.0"
},
{
"vendor": "CycloneDX",
"name": "cyclonedx-python-lib",
"version": "3.1.5",
"externalReferences": [
{
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions",
"type": "build-system"
},
{
"url": "https://pypi.org/project/cyclonedx-python-lib/",
"type": "distribution"
},
{
"url": "https://cyclonedx.github.io/cyclonedx-python-lib/",
"type": "documentation"
},
{
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues",
"type": "issue-tracker"
},
{
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE",
"type": "license"
},
{
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md",
"type": "release-notes"
},
{
"url": "https://github.com/CycloneDX/cyclonedx-python-lib",
"type": "vcs"
},
{
"url": "https://cyclonedx.org",
"type": "website"
}
]
}
]
}
Given the above, I think I'd suggest two changes:
Processing input file fe.cyclonedx.json
Contains 694 components
Processing input file cyclonedx.json
Contains 58 components
Unhandled exception: CycloneDX.Utils.Exceptions.MissingMetadataComponentException: Required metadata (top level) component is missing from BOM urn:uuid:6cb39f39-bd95-401a-ac13-0176b71db09a.
at CycloneDX.Utils.CycloneDXUtils.HierarchicalMerge(IEnumerable`1 boms, Component bomSubject)
at CycloneDX.Cli.Commands.MergeCommand.Merge(MergeCommandOptions options)
at System.CommandLine.Invocation.CommandHandler.GetExitCodeAsync(Object value, InvocationContext context)
at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass23_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass27_0.<<UseVersionOption>b__1>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass25_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__24_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass11_0.<<UseDebugDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__10_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass14_0.<<UseExceptionHandler>b__0>d.MoveNext()
%
Noticed this is an open bug in the library repo: https://github.com/CycloneDX/cyclonedx-python/issues/391
Noticed this is an open bug in the library repo: CycloneDX/cyclonedx-python#391
not a bug, but a feature nobody was ever willing to contribute. pullrequests are welcome.
The documention states:
There are no details here as to what this should look like.
When I go to the Python command cyclonedx-bom, I don't see any options for adding this:
Same with the Node equivalent, @cyclonedx/cyclondedx-npm:
I also can't see a way in this tool to add this metadata information to an existing BOM.
Any guidance greatly appreciated. It would be good to turn it into documentation (and/or added to BOM generation tools).