search

nexB / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
https://github.com/nexB/scancode-toolkit/releases/
2.04k stars 532 forks source link

Cannot output SBOM in cycloneDX format in tutorial #3784

Open atomic-kanta-sasaki opened 2 months ago

atomic-kanta-sasaki commented 2 months ago

Description

Tutorials are provided. The command as in the tutorial outputs SBOM, but if I set output to --cyclonedx, it does not output the correct SBOM.

How To Reproduce

tutorial command ./scancode -clpeui -n 2 --ignore "*.java" --json-pp sample.json samples

Commands I have executed ./scancode -clpeui -n 2 --ignore "*.java" --cyclonedx sample.json samples

output 

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:1a1b4416-ac60-4192-8743-e5297669c340",
  "version": 1,
  "metadata": {
    "timestamp": "2024-05-21T09:53:32Z",
    "tools": [
      {
        "vendor": "AboutCode.org",
        "name": "scancode-toolkit",
        "version": "32.1.0"
      }
    ],
    "properties": [
      {
        "name": "notice",
        "value": "Generated with ScanCode and provided on an \"AS IS\" BASIS, WITHOUT WARRANTIES\nOR CONDITIONS OF ANY KIND, either express or implied. No content created from\nScanCode should be considered or used as legal advice. Consult an Attorney\nfor any legal advice.\nScanCode is a free software code scanning tool from nexB Inc. and others.\nVisit https://github.com/nexB/scancode-toolkit/ for support and download."
      },
      {
        "name": "errors",
        "value": []
      },
      {
        "name": "warnings",
        "value": []
      },
      {
        "name": "message",
        "value": null
      },
      {
        "name": "system_environment",
        "value": {
          "operating_system": "linux",
          "cpu_architecture": "64",
          "platform": "Linux-5.15.146.1-microsoft-standard-WSL2-x86_64-with-glibc2.35",
          "platform_version": "#1 SMP Thu Jan 11 04:09:03 UTC 2024",
          "python_version": "3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]"
        }
      },
      {
        "name": "spdx_license_list_version",
        "value": "3.23"
      }
    ]
  },
  "components": [],
  "dependencies": []
}

this output do not write scan result. And I need the Schema property and it is not included in the json file above. If you already have a solution to these problems, please let me know.### System configuration. Thank you!

For bug reports, it really helps us to know:

pombredanne commented 2 months ago

@atomic-kanta-sasaki Thank you for the report! Sorry if this looks weird indeed. There are several issues:

  1. We need to upgrade to newer versions of CycloneDX. 1.3 is an old version. ScanCode.io already dropped support for 1.3 and supports 1.4, 1.5 and 1.6
  2. CycloneDX is a format centered on packages and not files. Here the samples/ directory only only files and no package manifests. These samples are not great and we should provide better samples. We have registered extra CycloneDX properties to track files at https://github.com/CycloneDX/cyclonedx-property-taxonomy?tab=readme-ov-file#registered-top-level-namespaces but we did not integrate this yet here.

You also wrote:

And I need the Schema property and it is not included in the json file above.

Can you tell where I could find this? I could not find such property in the https://github.com/CycloneDX/specification/blob/master/schema/bom-1.3.schema.json schema. If you meant this https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.schema.json#L14 ... this did not exist (yet) in version 1.3

Here are some concrete follow up actions:

atomic-kanta-sasaki commented 2 months ago

@pombredanne

Thanks for the reply.

https://scancode-toolkit.readthedocs.io/en/latest/index.html I don't see how to upgrade CycloneDX in this document.

If it's all in one document, please let me know where to find it.

I use scancode-toolkit version is v32.1.0.

pombredanne commented 2 months ago

@atomic-kanta-sasaki I updated the comment in https://github.com/nexB/scancode-toolkit/issues/3784#issuecomment-2122435361 ... sorry if this was not clear: these are not actions you can take, but rather these are bugs and issues we need to fix in ScanCode. You are welcomed to help if you fancy it!

In the meantime you may to try ScanCode.io https://github.com/nexB/scancode.io/ ?

ka-sasaki-sti commented 2 months ago

@pombredanne I have already confirmed that I can use ScanCode.io to create SBOMs. Thanks for presenting the information! I will help you if I can be of any help regarding the development. TThank you!

pombredanne commented 2 months ago

I have already confirmed that I can use ScanCode.io to create SBOMs. great.

I will help you if I can be of any help regarding the development. You will be much welcomed.

wujunhuge commented 1 month ago

I have a similar issue. Is there a good solution to using Scancode to generate a bill of materials that does not include components or licenses