Open KUGA2 opened 4 days ago
I'm not sure if you can merge spdx files directly, might need to transform them to CycloneDx first.
Are there maybe spdx merge tools, that would offer a more native solution?
Oh, I see. Transform via cyclonedx convert, then merge. I will try.
I did a similar a test with converted SBOMs but the result is the same (I guess, it converted implicitly):
$ docker run --rm -v $(pwd):$(pwd) cyclonedx/cyclonedx-cli convert --input-file <vcpkg_installed>/libxml2/vcpkg.spdx.json --output-file <vcpkg_installed>/libxml2/vcpkg.cyclone.json --output-format json
$ docker run --rm -v $(pwd):$(pwd) cyclonedx/cyclonedx-cli convert --input-file <vcpkg_installed>/nanopb/vcpkg.spdx.json --output-file <vcpkg_installed>/nanopb/vcpkg.cyclone.json --output-format json
$ docker run --rm -v $(pwd):$(pwd) cyclonedx/cyclonedx-cli merge --input-files $(ls <vcpkg_installed>/*/*.cyclone.json) --output-file $(pwd)/outputs/sbom_all.json --hierarchical --name test_merge --version=1.0.0
Processing input file <vcpkg_installed>/libxml2/vcpkg.cyclone.json
Contains 8 components
Processing input file <vcpkg_installed>/nanopb/vcpkg.cyclone.json
Contains 6 components
Unhandled exception: CycloneDX.Utils.Exceptions.MissingMetadataComponentException: Required metadata (top level) component is missing from BOM.
at CycloneDX.Utils.CycloneDXUtils.HierarchicalMerge(IEnumerable`1 boms, Component bomSubject)
at CycloneDX.Cli.Commands.MergeCommand.Merge(MergeCommandOptions options)
at System.CommandLine.Invocation.CommandHandler.GetExitCodeAsync(Object value, InvocationContext context)
at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass23_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass27_0.<<UseVersionOption>b__1>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass25_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__24_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass11_0.<<UseDebugDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__10_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass14_0.<<UseExceptionHandler>b__0>d.MoveNext()
Has anyone tried this?
_vcpkg generates a SPDX file containing the SBOM information for each package that is installed. The files are located in//share//vcpkg.spdx.json._
https://learn.microsoft.com/en-us/vcpkg/reference/software-bill-of-materials
I was hoping to use this to merge them. Sadly, it does not work.
Reproduction:
(without hierarchical, it works but the result file is basically empty)