search

CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
317 stars 62 forks source link

Converting spdx (obtained via docker-scout) to cyclonedx results in empty file #373

Open ghost opened 5 months ago

ghost commented 5 months ago

I'm trying to convert an spdx BOM (obtained via docker-scout) into a cyclone dx file. However, the generated cyclonedx is ~empty! Here's how to reproduce:

  1. Obtain the spdx file: docker-scout sbom --format json quay.io/mongodb/mongodb-community-server:7.0.0-ubi8 > /tmp/input.json
  2. Run the converter: ./cyclonedx-linux-arm64 convert --input-file /tmp/input.json --output-file /tmp/foo.json --output-version v1_5
  3. The output looks like this: 
    {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"vulnerabilities": []
}

    (It should have a whole lot of info in there!)

I'm hoping that I'm just misunderstanding some basic aspect of how to invoke this tool. Any pointers are appreciated!

cc: @trevor159

andreas-hilti commented 5 months ago

@stevegrossmongodb Does specifying the input format using --input-format spdxjson help? (The autodetection is not as good as you'd hope for.) If not, are you able to attach the input.json to reproduce it slightly easier?

ghost commented 5 months ago

We finally got it working with these arguments:

cat input_obtained_from_docker_scout | \
<cyclonedx_bin> \
  convert \
  --output-version 1_5 \
  --input-format spdxjson \
  --output-format json