search

CycloneDX / cyclonedx-gomod

Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
https://cyclonedx.org
Apache License 2.0
132 stars 23 forks source link

Display errors from go command #476

Open victorc-cylus opened 2 months ago

victorc-cylus commented 2 months ago

First of all, thank you for this amazing project

Consider the following command: cyclonedx-gomod mod -verbose=true -json=true -assert-licenses -licenses=true -output "/tmp/sbom/core.json" core

You can see thanks to -verbose=true the go commands that cyclonedx-gomod runs behind the scenes:

5:30PM DBG executing command cmd="/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go" dir=core
5:30PM DBG loading vendored modules includeTest=false moduleDir=core
5:30PM DBG executing command cmd="/usr/local/go/bin/go mod vendor -v -e" dir=core
5:30PM DBG filtering modules includeTest=false moduleCount=207 moduleDir=core
...

I have a process that runs non-interactively to produce the SBOMs. When it failed, I accessed the machine it ran on, but the same behavior could not be reproduced. This is because when the shell is running interactively, it changes its behavior in several ways: https://www.gnu.org/software/bash/manual/html_node/Interactive-Shell-Behavior.html

My method to troubleshoot this issue was to run the cyclonedx-gomod command in the interactive session (which succeeds) with the -verbose option, to see which go commands it is running, and to add these go commands to my non-interactive workflow. By running go without cyclonedx, I could see the actual error I ran into, which was very simple and caused by the difference in environment variables present in the interactive vs. non-interactive session: go: github.com/google/gopacket@v1.1.19: neither GOPATH nor GOMODCACHE are set

Currently cyclonedx-gomod doesn't show the errors from the go commands it runs:

ERR error="failed to download modules: command `/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go` failed: exit status 1"

I think it would be a great help to people who use this project if they could see what went wrong behind the scenes rather than just seeing "go exited with error code 1".

I looked at the -help files for cyclonedx and I didn't find anything like this, let me know if I missed it, and if it doesn't yet exist please consider adding it. Thanks

mcombuechen commented 2 months ago

hey @victorc-cylus did you mean to open this issue in https://github.com/CycloneDX/cyclonedx-gomod ?

nscuro commented 2 months ago

Not sure what could be missing here. We already forward stderr output to our logger for go mod why invocations:

https://github.com/CycloneDX/cyclonedx-gomod/blob/5e81aff27ede8e8978b3c92b9761fc467842323f/internal/gocmd/gocmd.go#L118-L127

Go should not be writing errors to stdout - if it does it is inconsistent with how it behaves in other commands.