CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
312 stars 61 forks source link

converting issues #381

Open AJquetta opened 3 months ago

AJquetta commented 3 months ago

Hello, I am trying to convert a csv formt sbom in to cyclonedx format with version 1.4

I am using following command : cyclonedx convert --input-file 'Sda.txt' --input-format csv --output-file wwse.json --output-format json --output-version v1_5

but when it generates wwse.json file its empty, can anyone explain why, I also did like this:

cyclonedx convert --input-file 'Sda.csv' --input-format csv --output-file wwse.json --output-format json --output-version v1_5

using sda.csv

but still same issue.

andreas-hilti commented 3 months ago

@AJquetta Can you please attach your csv file (or a sample) such that we can reproduce your issue?

AJquetta commented 3 months ago

PU LABEL,COMPONENT LABEL,COMPONENT TYPE,COMPONENT VENDOR,COMPONENT NAME,COMPONENT VERSION,COMPONENT STATUS PU01,C001,LIB,esp-idf_project,esp-idf,v4.3.0,ACTIVE, PU01,C002,LIB,mbedtls_project,mbedtls,v4.3.0,ACTIVE, PU01,C003,LIB,lwip_project,lwip,v4.3.0,ACTIVE, PU01,C004,OS,freertos_kernel_project,freertos_kernel,v4.3.0,ACTIVE, PU01,C005,LIB,DaveGamble,cjson,1.7.15,ACTIVE, PU01,C006,FRM,GNU,gcc,8.4.0,ACTIVE, PU01,C007,LIB,Nghttp2,nghttp2,1.41.0,ACTIVE, PU01,C008,LIB,bt_project,bt,v4.3.0,ACTIVE, PU01,C009,LIB,newlib_project,newlib,v4.3.0,ACTIVE, PU01,C010,LIB,Bluetooth,Bluetooth,5.0,ACTIVE, PU01,C011,LIB,Bluetooth,mesh_profile,1.0.0,ACTIVE, PU01,C012,LIB,Secpat,atecclib,-,ACTIVE, PU01,C013,LIB,mqtt_project,mqtt,v4.3.0,ACTIVE, PU01,C014,HW,Espressif,ESP32,-,ACTIVE,

here is it. can you try to convert and let me know if you can, or is there any issue wit csv file data or something is missing there.

Also if you did convert it, can you also show me the command that you used.

THanks.

andreas-hilti commented 3 months ago

@AJquetta The problem is your input data, or more precisely the headers. The csv file needs to adhere to the example: https://github.com/CycloneDX/cyclonedx-cli/blob/main/example.csv see also: https://github.com/CycloneDX/cyclonedx-cli/blob/03b8019b24e847b6fdc91822eae2e9a220d525fa/README.md?plain=1#L124-L135

If I modify some of the headers (I'm not sure whether there are matching properties for the others, e.g. COMPONENT VENDOR might be Supplier or Publisher): PU LABEL,COMPONENT LABEL,Type,COMPONENT VENDOR,Name,Version,COMPONENT STATUS and change the type to Library, Operating_System, Framework, or Device, I get a non-empty BOM.

The command that I used was: cyclonedx.exe convert --input-file sda_mod.csv --input-format csv --output-file wwse_mod.json --output-format json --output-version v1_5 (i.e. yours looked correct).

AJquetta commented 3 months ago

So the problem is with the csv file? and have you made changes to the csv file that I provided, if yes can you share with me.

Did you only change type with Library?

andreas-hilti commented 3 months ago

Yes, the problem is the csv file; here is the modified file that I used: sda_mod.csv

AJquetta commented 3 months ago

yeah, but when I try to put the genrated sbom from csv to cyclonedx in to snyk sbom checker it gives me this error: We couldn't find any Package URLs (purls) or external references containing purls in the provided SBOM.

https://snyk.io/code-checker/sbom-security/

can you sopy pasted the sbom which you converted in this and see if it shows vulnerability detection as I tried to convert csv to cyclonedx but I think csv data us nit complete or there is a problem with proper conversion between formats.

andreas-hilti commented 3 months ago

Well, the generated BOM is a valid BOM, but it indeed does not contain any purls, as the csv data did not contain them. If you want to have them included, you will need to provide them in a "Purl" column.

AJquetta commented 3 months ago

okay thanks @andreas-hilti

AJquetta commented 3 months ago

Well, the generated BOM is a valid BOM, but it indeed does not contain any purls, as the csv data did not contain them. If you want to have them included, you will need to provide them in a "Purl" column.

but is it possible i can get the purls from any tool or somewhere or is it that I have to ask the vendor to provide them?, or there are any open source tools that can import this csv file and generate there purls?

andreas-hilti commented 3 months ago

From where do you get your dependencies? If you use some kind of package management system, like conan, maven, pypi, nuget, etc. then you can hope to get purls automatically (but then you should actually rather use a specialized tool than to rely on csv import via cli to produce the SBOM). Otherwise, you can't hope for a tool to figure this out; how should it be able to do so (i.e. how should it be able to know from where you got the dependencies)?