Fails to generate a detailed SBOM for a forked repo

advanced-security / gh-sbom

Generate SBOMs with gh CLI

MIT License

164 stars 13 forks source link

Fails to generate a detailed SBOM for a forked repo #5

Closed anthonyharrison closed 1 year ago

anthonyharrison commented 1 year ago

Pointing the tool at a forked repo results in an basic SBOM with none of the dependent packages identified.

steiza commented 1 year ago

I think what's happening here is this tool uses the Dependency Graph API, and so if you don't have Dependency Graph enabled on your repository (regardless of if it's forked or not), it won't be able to get any information. I added a (hopefully) helpful error message for that case: https://github.com/advanced-security/gh-sbom/commit/781d1cee2a81550502c09aca42bbcb31c94c13cc

anthonyharrison commented 1 year ago

@steiza It appears that it is possible to enable DependencyGraph for a forked repo. Maybe add this reference somewhere in the documentation.