search

HaRo87 / mdbom

Software Bill of Material (SBOM) to Markdown conversion
MIT License
9 stars 3 forks source link

Command fails to run #18

Open huntantr opened 3 years ago

huntantr commented 3 years ago

Describe the bug Following the steps outlined on https://haro87.github.io/mdbom/0.2.2/install/, I get the following error when trying to run the generation command: Traceback (most recent call last): File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\runpy.py", line 192, in _run_module_as_main return _run_code(code, main_globals, None, File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\runpy.py", line 85, in _run_code exec(code, run_globals) File "C:\Users\anthony.hunter.000\AppData\Local\Programs\Python\Python38\Scripts\mdb.exe__main.py", line 9, in File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 829, in call__ return self.main(args, kwargs) File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 782, in main rv = self.invoke(ctx) File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 1259, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 1066, in invoke return ctx.invoke(self.callback, ctx.params) File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 610, in invoke return callback(args, **kwargs) File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\mdbom\mdbom.py", line 96, in generate packages = processors[proc_type].get_packages_from_bom( File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\mdbom\bom\processor.py", line 54, in get_packages_from_bom for component_license in component[LICENSES_ID]: KeyError: 'licenses'

To Reproduce Steps to reproduce the behavior:

  1. Follow all of the install steps from https://haro87.github.io/mdbom/0.2.2/install/
  2. Run the generation command from: https://haro87.github.io/mdbom/0.2.2/markdown/
  3. See error

Expected behavior Expecting the markdown file to be generated

System (please complete the following information):

HaRo87 commented 3 years ago

Thanks @huntantr for your bug report. I just stumbled on the same issue. There were some recent changes in cyclonedx-py which broke the format. I will have a closer look. For the time being you can pin cyclonedx-py to 0.4.3 which is supported by mdbom.

And sorry for the late reply!

huntantr commented 3 years ago

I am actually using cyclonedx-dotnet to generate my sbom. Is there a different version of it that I should use?

HaRo87 commented 3 years ago

Ah, interesting. Did that ever work for you, or did you try MdBOM for the first time? Because I state here that it currently supports pypi anf npm. No .NET support at this time. That would be a new feature request. 😉

coderpatros commented 3 years ago

I haven't really looked into this particular case. But, from memory, there's a bunch of older packages on nuget that don't supply license information. Or maybe it isn't well structured. Looks like that might be the problem with parsing here. So the CycloneDX .NET tool sometimes generates what is technically not a valid BOM.

@HaRo87 I see that you are using the pypi and npm options to generate a URL to the relevant package repository page.

All the CycloneDX implementations should be populating package URLs for components. Maybe that could be used to determine the type at the component level instead of the BOM level? That would be especially useful for polyglot applications that might have, for example, npm packages for the front end and something else for the back end.

Another option, is that the relevant URLs could be populated by the CycloneDX tooling as an external reference for each component. Then you could just include that and shouldn't need any special ecosystem specific handling.

huntantr commented 3 years ago

@HaRo87, yes this is the very first time. New to this kind of tool, and didn't clearly understand that information on the site. The company I work for mainly develops in .Net (and C/C++), so I don't have anything in python or npm to scan with one of the CycloneDX tools. Was more looking into your tool to see if I could utilize it somewhere in the SBOM process we are developing

HaRo87 commented 2 years ago

Hi @huntantr, sorry that it was silent for so long but I did not manage to find any time working on MdBOM for quite some time. I've done some changes and could now implement the dotnet compatibility. If you're still interested it would be nice to get a sample BOM as JSON from the dotnet ecosystem. I am not a dotnet developer and thus do not have any setup.