foamdino
commented
1 year ago I get a similar issue with a repository with a pom.xml - seems to be an issue at line 88 - however a recent commit looks like it attempts to address the issue
Open anthonyharrison opened 1 year ago
foamdino
commented
1 year ago I get a similar issue with a repository with a pom.xml - seems to be an issue at line 88 - however a recent commit looks like it attempts to address the issue
steiza
commented
1 year ago Yes, I think I fixed the issue with https://github.com/advanced-security/gh-sbom/commit/2bbc35549eba23bd6d7d8d12f4dc1eb0c5f0ea8f / https://github.com/advanced-security/gh-sbom/releases/tag/v0.0.7.
You can install the latest version with:
$ gh ext remove advanced-security/gh-sbom
$ gh ext install advanced-security/gh-sbomBut let met know.
If the repository is public, and you're willing to share (or just the requirements.txt / pom.xml file), I could test this fix that way as well.
Thanks for the bug report!
anthonyharrison
commented
1 year ago @steiza Reinstalling the updated module results in the application no longer crashing and an SBOM being generated. However, the generated SBOM doesn't include any version information or any license information (just reported as NOASSERTION). It also only reports direct dependencies. The requirements.txt file does not contain any version pinning.
I have tried it on another repository which has many more dependencies in its requirements.txt file, and while an SBOM is generated it does not contain any of the dependent package information. This is because it is a forked repository..
steiza
commented
1 year ago However, the generated SBOM doesn't include any version information or any license information (just reported as NOASSERTION). It also only reports direct dependencies. The requirements.txt file does not contain any version pinning.
Yes, so if you aren't pinning your dependency versions, you won't know what versions are selected until build time, and so you'll probably want to use a build-time (or post-build composition analysis) tool to generate your SBOMs.
That said, I did add the tool version to the SBOM: https://github.com/advanced-security/gh-sbom/commit/54471b274945e132637e6b610dcabf7581450438
As well as the license of the repository: https://github.com/advanced-security/gh-sbom/commit/9944dd22a6cfcbda5d4daf23ccdc274bee2f0a36
... in case that's what you were referring to.
I have tried it on another repository which has many more dependencies in its requirements.txt file, and while an SBOM is generated it does not contain any of the dependent package information.
This tool uses the Dependency Graph API, and so if you don't have Dependency Graph enabled on your repository (regardless of if it's forked or not), it won't be able to get any information. I added a (hopefully) helpful error message for that case: https://github.com/advanced-security/gh-sbom/commit/781d1cee2a81550502c09aca42bbcb31c94c13cc
anthonyharrison
commented
1 year ago @steiza Thanks for the explaination. I think adding something to the dcumentation regarding behaviour if versions aren't pinned would be useful.
Tried on a Python repository and I get a runtime failure.
panic: runtime error: slice bounds out of range [2:0]
goroutine 1 [running]: github.com/advanced-security/gh-sbom/pkg/dependency-graph.makeQuery({0x7a1f08, 0xc000068440}, {0x7fffd27c522b, 0xf}, {0x7fffd27c523b, 0x4}, 0x0, 0x0, 0xc000101a70, 0xc00011b7e0) github.com/advanced-security/gh-sbom/pkg/dependency-graph/client.go:86 +0x7c6 github.com/advanced-security/gh-sbom/pkg/dependency-graph.GetDependencies({0x7fffd27c522b, 0xf}, {0x7fffd27c523b, 0x4}) github.com/advanced-security/gh-sbom/pkg/dependency-graph/client.go:56 +0x1d3 main.main() github.com/advanced-security/gh-sbom/main.go:179 +0x1df