Closed ZheSun88 closed 1 month ago
@ZheSun88 can you provide a full SBOM or a snippet of the components section for us to test with?
hi @djschleen here is one example, with cyclonedx-maven-plugin:2.8.1
"tools": {
"components": [
{
"author": "OWASP Foundation",
"group": "org.cyclonedx",
"name": "cyclonedx-maven-plugin",
"version": "2.8.1",
"description": "CycloneDX Maven plugin",
"hashes": [
{
"alg": "MD5",
"content": "42c73e70d517b359d40b757c368d68fc"
},
{
"alg": "SHA-1",
"content": "c66892e13fb7ed7b8105cb5a280fa767d9e0bf12"
},
{
"alg": "SHA-256",
"content": "566681b9fcb1b0178e101cd899d2ea399e2039255e208a1a477bc079158dbdc5"
},
{
"alg": "SHA-512",
"content": "93d7b7421ee2d91f84930e75a52864952f26fee96114740dab477ee5f0e62b6448759ad5a160f1749650379f771941100c7fd84ed523b2407d2004b928998ecb"
},
{
"alg": "SHA-384",
"content": "04b0c71c1b79f77e723e7db96c72705f50172e94df5a7f28edbd96024b886fff65f61f37fc77abb1d12b0809813ae665"
},
{
"alg": "SHA3-384",
"content": "eafa68c2c25670f0b77c5db3acdfd97cfe97dfc50c47bba2103353327b049b9bbac0d8b621b1168200ddf21719048c73"
},
{
"alg": "SHA3-256",
"content": "2c07b6997ba0e40ca3b66e39cfcf101fcebdceaa19fce0baf12e013cf392466e"
},
{
"alg": "SHA3-512",
"content": "636f068843bad92259885cd4d427630619864c0172bd1b41df15c33a7d411767ab09cf2ff339a97fda149ee44c95a162fdf6cb12de19e2dc0250c2fadc80d882"
}
],
"type": "library"
}
]
},
while with cyclonedx-maven-plugin: 2.8.0, it seems there is no components
section
"tools": [
{
"vendor": "OWASP Foundation",
"name": "CycloneDX Maven plugin",
"version": "2.8.0",
"hashes": [
{
"alg": "MD5",
"content": "76ffec6a7ddd46b2b24517411874eb99"
},
{
"alg": "SHA-1",
"content": "5b0d5b41975b53be4799b9621b4af0cfc41d44b6"
},
{
"alg": "SHA-256",
"content": "6852aa0f4e42a2db745bab80e384951a6a65b9215d041081d675780999027e81"
},
{
"alg": "SHA-512",
"content": "417de20fcdcb11c9713bacbd57290d8e68037fdb4553fd31b8cb08bd760ad52dc65ea88ad4be15844ad3fd5a4d3e440d2f70326f2fe1e63ec78e059c9a883f8d"
},
{
"alg": "SHA-384",
"content": "5eb755c6492e7a7385fa9a1e1f4517875bcb834b2df437808a37a2d6f5285df428741762305980315a63fcef1406597d"
},
{
"alg": "SHA3-384",
"content": "0fe16a47cf7aab0b22251dafcc39939b68e8f1778093309d8d2060b51a08df445a8b8ed5a9561669faf2e55f907c76d8"
},
{
"alg": "SHA3-256",
"content": "3e5a1eb5ab7d0797498862794709ff8eaaa071fe4cc9ec77f52db7e2f97ef487"
},
{
"alg": "SHA3-512",
"content": "59281a3e29e76270d7f44b40b5b9f05e55f1ae3ec716d80add806f360940809e3813998ac7c5758043b8e248aed73b86e37dc506cdb4cde03c16bb617d8e5a3a"
}
]
}
],
also attach a full json here. bom-2.8.0.json bom-2.8.1.json
I ran both of your attached files with bomber 0.5.0 (will be released shortly) and have not reproduced any issue.
If there is no component section in an SBOM, nothing can be scanned because no PURLs will be found. the only thing bomber will use out of any SBOM is that PURL, and license info. Any other fields like name, description, version, etc. are not used.
oh, Thanks for the checking. It seems we used version 0.4.7. the failure doesn't come after i have upgraded Bomber to 0.5.0.
thanks again
It seems bomber is not compatible with the json generated from cyclonedx-maven-plugin:2.8.1
in the new cyclonedx plugin, they have removed the deprecated feature of the CycloneDX schema, and now i am getting an error when run
bomber scan
with the new json file, while works fine with json generated from cyclonedx-maven-plugin:2.8.0cyclonedx-maven-plugin:2.8.1
cyclonedx-maven-plugin:2.8.0