Open AJquetta opened 3 months ago
@AJquetta Can you please attach your csv file (or a sample) such that we can reproduce your issue?
PU LABEL,COMPONENT LABEL,COMPONENT TYPE,COMPONENT VENDOR,COMPONENT NAME,COMPONENT VERSION,COMPONENT STATUS PU01,C001,LIB,esp-idf_project,esp-idf,v4.3.0,ACTIVE, PU01,C002,LIB,mbedtls_project,mbedtls,v4.3.0,ACTIVE, PU01,C003,LIB,lwip_project,lwip,v4.3.0,ACTIVE, PU01,C004,OS,freertos_kernel_project,freertos_kernel,v4.3.0,ACTIVE, PU01,C005,LIB,DaveGamble,cjson,1.7.15,ACTIVE, PU01,C006,FRM,GNU,gcc,8.4.0,ACTIVE, PU01,C007,LIB,Nghttp2,nghttp2,1.41.0,ACTIVE, PU01,C008,LIB,bt_project,bt,v4.3.0,ACTIVE, PU01,C009,LIB,newlib_project,newlib,v4.3.0,ACTIVE, PU01,C010,LIB,Bluetooth,Bluetooth,5.0,ACTIVE, PU01,C011,LIB,Bluetooth,mesh_profile,1.0.0,ACTIVE, PU01,C012,LIB,Secpat,atecclib,-,ACTIVE, PU01,C013,LIB,mqtt_project,mqtt,v4.3.0,ACTIVE, PU01,C014,HW,Espressif,ESP32,-,ACTIVE,
here is it. can you try to convert and let me know if you can, or is there any issue wit csv file data or something is missing there.
Also if you did convert it, can you also show me the command that you used.
THanks.
@AJquetta The problem is your input data, or more precisely the headers. The csv file needs to adhere to the example: https://github.com/CycloneDX/cyclonedx-cli/blob/main/example.csv see also: https://github.com/CycloneDX/cyclonedx-cli/blob/03b8019b24e847b6fdc91822eae2e9a220d525fa/README.md?plain=1#L124-L135
If I modify some of the headers (I'm not sure whether there are matching properties for the others, e.g. COMPONENT VENDOR might be Supplier or Publisher):
PU LABEL,COMPONENT LABEL,Type,COMPONENT VENDOR,Name,Version,COMPONENT STATUS
and change the type to Library
, Operating_System
, Framework
, or Device
, I get a non-empty BOM.
The command that I used was:
cyclonedx.exe convert --input-file sda_mod.csv --input-format csv --output-file wwse_mod.json --output-format json --output-version v1_5
(i.e. yours looked correct).
So the problem is with the csv file? and have you made changes to the csv file that I provided, if yes can you share with me.
Did you only change type with Library?
Yes, the problem is the csv file; here is the modified file that I used: sda_mod.csv
yeah, but when I try to put the genrated sbom from csv to cyclonedx in to snyk sbom checker it gives me this error: We couldn't find any Package URLs (purls) or external references containing purls in the provided SBOM.
https://snyk.io/code-checker/sbom-security/
can you sopy pasted the sbom which you converted in this and see if it shows vulnerability detection as I tried to convert csv to cyclonedx but I think csv data us nit complete or there is a problem with proper conversion between formats.
Well, the generated BOM is a valid BOM, but it indeed does not contain any purls, as the csv data did not contain them. If you want to have them included, you will need to provide them in a "Purl" column.
okay thanks @andreas-hilti
Well, the generated BOM is a valid BOM, but it indeed does not contain any purls, as the csv data did not contain them. If you want to have them included, you will need to provide them in a "Purl" column.
but is it possible i can get the purls from any tool or somewhere or is it that I have to ask the vendor to provide them?, or there are any open source tools that can import this csv file and generate there purls?
From where do you get your dependencies? If you use some kind of package management system, like conan, maven, pypi, nuget, etc. then you can hope to get purls automatically (but then you should actually rather use a specialized tool than to rely on csv import via cli to produce the SBOM). Otherwise, you can't hope for a tool to figure this out; how should it be able to do so (i.e. how should it be able to know from where you got the dependencies)?
Hello, I am trying to convert a csv formt sbom in to cyclonedx format with version 1.4
I am using following command : cyclonedx convert --input-file 'Sda.txt' --input-format csv --output-file wwse.json --output-format json --output-version v1_5
but when it generates wwse.json file its empty, can anyone explain why, I also did like this:
cyclonedx convert --input-file 'Sda.csv' --input-format csv --output-file wwse.json --output-format json --output-version v1_5
using sda.csv
but still same issue.