Using diff command always produces empty output even if there are changes in SBOM's provided as inputs.

[bharathkolanda]

When i use "cyclonedx diff newBOM.json oldBOM.json > sbomDiff.txt" always produces empty sbomDiff.txt file even if there are differences.

If i use the option --component-versions the i get an "Unhandled exception: System.ArgumentNullException: Value cannot be null. (Parameter 'collection')"

When i tried to convert json to xml, conversion succeeds but the converted xml file is empty.

[andreas-hilti]

@bharathkolanda Can you please attach your BOM files (or samples) such that we can reproduce your issue?

[bharathkolanda]

@andreas-hilti : Please find the details below existing-bom.json standard-bom.json sbomDiff.txt

And my ci pipeline looks as below sbom-diff: stage: check-sbom

needs:

- scp-codescanner-check

image: name: cyclonedx/cyclonedx-cli:latest@sha256:269b82d4346362cbd2b1830bceece5e8a7e00921fa26ebba1c9e7291ea772be0 entrypoint: [""] script:

• newSBOM=$(find . -iname standard-bom.json)
• oldSBOM=$(find . -iname existing-bom.json)
• cyclonedx diff $newSBOM $oldSBOM --output-format text > sbomDiff.txt

  - cat sbomDiff.txt

  - exit $(grep ^[+-] sbomDiff.txt | wc -l)

  artifacts: when: always paths:

  • sbomDiff.txt
  • ./**/standard-bom.json
  • ./**/existing-bom.json

[andreas-hilti]

@bharathkolanda The two files are not valid cyclonedx BOM files. I think you need to specify the correct output file format when generating the BOMs (maybe --cyclonedx).