search

OpenRailAssociation / compliance-assistant

Toolset that helps you with creating and interacting with SBOMs, enriching with licensing and copyright information, and checking for Open Source license compliance
Apache License 2.0
3 stars 1 forks source link

Error when running sbom-generate #17

Open Tristramg opened 1 month ago

Tristramg commented 1 month ago

On linux (archlinux):

❯ pipx --version
1.6.0
❯ python --version
Python 3.12.3
❯ git clone https://github.com/osrd-project/liblrs.git
❯ cd liblrs/
❯ pipx run compliance-assistant -v sbom-generate -d . -o ./sbom_data/bom.json

DEBUG: Trying paths: ['/home/tristram/.docker/config.json', '/home/tristram/.dockercfg']
DEBUG: No config file found
DEBUG: Trying paths: ['/home/tristram/.docker/config.json', '/home/tristram/.dockercfg']
DEBUG: No config file found
DEBUG: http://localhost:None "GET /version HTTP/11" 200 782
INFO: Generating SBOM for /home/tristram/travail/sncf/temp_test/liblrs using cdxgen
DEBUG: Running image 'ghcr.io/cyclonedx/cdxgen' on directory '/home/tristram/travail/sncf/temp_test/liblrs' with name 'liblrs_68f9d4' and output '/tmp/tmp06eblbtz'
DEBUG: http://localhost:None "POST /v1.45/containers/create?name=liblrs_68f9d4 HTTP/11" 201 88
DEBUG: http://localhost:None "GET /v1.45/containers/a4dd569272c9f5fa423408cdf00f8334392a5bb2f45dbc05bb381d0701c0330f/json HTTP/11" 200 None
DEBUG: http://localhost:None "POST /v1.45/containers/a4dd569272c9f5fa423408cdf00f8334392a5bb2f45dbc05bb381d0701c0330f/start HTTP/11" 204 0
DEBUG: http://localhost:None "GET /v1.45/containers/a4dd569272c9f5fa423408cdf00f8334392a5bb2f45dbc05bb381d0701c0330f/logs?stderr=0&stdout=1&timestamps=0&follow=1&tail=all HTTP/11" 200 None
DEBUG: http://localhost:None "GET /v1.45/containers/a4dd569272c9f5fa423408cdf00f8334392a5bb2f45dbc05bb381d0701c0330f/json HTTP/11" 200 None
DEBUG: http://localhost:None "POST /v1.45/containers/a4dd569272c9f5fa423408cdf00f8334392a5bb2f45dbc05bb381d0701c0330f/wait HTTP/11" 200 None
DEBUG: http://localhost:None "GET /v1.45/containers/a4dd569272c9f5fa423408cdf00f8334392a5bb2f45dbc05bb381d0701c0330f/logs?stderr=1&stdout=0&timestamps=0&follow=0&tail=all HTTP/11" 200 None
DEBUG: http://localhost:None "GET /v1.45/containers/a4dd569272c9f5fa423408cdf00f8334392a5bb2f45dbc05bb381d0701c0330f/json HTTP/11" 200 None
DEBUG: http://localhost:None "DELETE /v1.45/containers/a4dd569272c9f5fa423408cdf00f8334392a5bb2f45dbc05bb381d0701c0330f?v=False&link=False&force=False HTTP/11" 204 0
CRITICAL: Docker container wasn't able to start: Command '['-r', '/app', '-o', '/sbom_data/tmp06eblbtz']' in image 'ghcr.io/cyclonedx/cdxgen' returned non-zero exit status 1: b''

When running the docker by hand:

❯ docker run --rm  -v .:/app:rw -v ./sbom_data:/sbom_data -t ghcr.io/cyclonedx/cdxgen -r /app -o /sbom_data/sbom.json

The file is generated as expected

mxmehl commented 2 weeks ago

I cannot reproduce this error and have no idea why the Docker container exits with 1. May I ask you to do the following to ensure we're using the same environment?

  1. docker pull ghcr.io/cyclonedx/cdxgen to use the latest image
  2. pipx upgrade compliance-assistant to ensure you're using version 3.x of this tool
  3. Use the new command structure, and ensure the file is created in the same directory: pipx run compliance-assistant sbom generate -d . -o bom.json -v

In any case, you're also free to use any other tool that generates a CycloneDX SBOM, and enrich the data on top of that (using the sbom enrich command). For example syft: syft scan . -o cyclonedx-json > bom.json. I will work towards making this clear in the docu, and extend the sbom generate command to support more than just cdxgen in Docker.