lumjjb
commented
1 year ago running into errors trying to generate this @albert0815 , could you share the copy you have - while we try to fix the mvn errors
Closed albert0815 closed 1 year ago
lumjjb
commented
1 year ago running into errors trying to generate this @albert0815 , could you share the copy you have - while we try to fix the mvn errors
albert0815
commented
1 year ago here you are: bom.zip
lumjjb
commented
1 year ago awesome thanks! @nadgowdas is working on a fix for this!
albert0815
commented
1 year ago Cool, thank you. I was working on a system to manage CycloneDX BOMS and stumbled across the GUAC announcement. I thought it would be worth a try to replace my own storing routine with GUAC. I will take another look when this bug is solved.
Created another BOM for testing, for GUAC, using this command:
cyclonedx-gomod mod -json .>guac-bom.jsonMaybe it helps :)
nadgowdas
commented
1 year ago Created a PR for fix: https://github.com/guacsec/guac/pull/224
lumjjb
commented
1 year ago Hi @albert0815 does the PR fix this for you? if it does, we can close this :)
pxp928
commented
1 year ago Related to the old CDX parser. Please re-open the issue if the bug reoccurs.
While trying guac with a CycloneDX SBOM I found that no edges are being created. To make sure this is a reproducable case you could run the following commands to create the same SBOM:
It seems no edges are identified in that BOM and therefore no dependency graph is built in neo4j, only single nodes are created. But as far as I understand the SBOM actually contains the dependency information which could be used to build the graph. In the SBOM it looks like this:
So based on above sample I do not think it would be required to use information of the language ecosystem or dep.dev. The details are in the SBOM but not being parsed.
Posted this initially in #200 but created a new issue as suggested by @lumjjb