search

opensbom-generator / spdx-sbom-generator

Support CI generation of SBOMs via golang tooling.
381 stars 109 forks source link

[Question] How to solve the error message: "error in getting mvn transitive dependency tree and parsing it"? #227

Open shi9qiu opened 2 years ago

shi9qiu commented 2 years ago

Hello,

I got an error message "error in getting mvn transitive dependency tree and parsing it" when I tried to generator from a simple Maven project:

$ ./spdx-sbom-generator -p /home/ubuntu/maven -o /home/ubuntu/out2
INFO[2021-08-05T11:42:35+09:00] Starting to generate SPDX ...
INFO[2021-08-05T14:37:01+09:00] Running generator for Module Manager: `Java-Maven` with output `/home/ubuntu/out2/bom-Java-Maven.spdx`
INFO[2021-08-05T14:37:01+09:00] Current Language Version Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d)
Maven home: /home/ubuntu/apache-maven-3.8.1
Java version: 11.0.11, vendor: Ubuntu, runtime: /usr/lib/jvm/java-11-openjdk-amd64
Default locale: ja_JP, platform encoding: UTF-8
OS name: "linux", version: "4.15.0-23-generic", arch: "amd64", family: "unix"
error in getting mvn transitive dependency tree and parsing it
ERRO[2021-08-05T17:22:18+09:00] exit status 1
INFO[2021-08-05T17:22:18+09:00] Command has completed with errors for some package managers, see details below
INFO[2021-08-05T17:22:18+09:00] Plugin Java-Maven return error failed to read modules

Did anyone get the same error message before?

I checked the source code:

https://github.com/spdx/spdx-sbom-generator/blob/90ec05b20557e3cda6fd12cf214ad02b83c02f87/pkg/modules/javamaven/handler.go#L119-L135 and: https://github.com/spdx/spdx-sbom-generator/blob/90ec05b20557e3cda6fd12cf214ad02b83c02f87/pkg/modules/javamaven/decoder.go#L427-L444

Then I run "mvn dependency:tree" command and it was successful. So I have no idea about what is wrong here. I will be very thankful if anyone can solve my problem.

BearsAreBig commented 2 years ago

@shi9qiu I ran into the same issue - I believe it is related to the working directory.

I too used ./spdx-sbom-generator --path /path/to/java/project and got the same error response.

To fix my issue I move the executable (spdx-sbom-generator) into my java project top level directory and ran the command again without the --path flag and it worked. cd /path/to/java/project && ./spdx-sbom-generator

So sounds like there is a bug where this "mvn dependency:tree" command is being run in the pwd of the executable and not in the path specified by the --path flag.

jwagantall commented 2 years ago

Is there a permanent fix in the plans for this issue?

Thanks!