search

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.
https://oss-review-toolkit.org
Apache License 2.0
1.57k stars 308 forks source link

CycloneDX SBOM files (XML,JSON) are empty for packages with empty licenses #8857

Closed mawl closed 2 months ago

mawl commented 2 months ago

Describe the bug

Since Upgrading to ORT v22.8, SBOM files are empty for NPM (and NuGet) projects. This happens silently, no exit code is thrown.

To Reproduce

Create a NPM Project and install official and company dependencies, all proxied by a repo manager. The resulting ORT report is empty for CycloneDX JSON and XML files.

Steps to reproduce the behavior:

  1. Create NPM project 
    mkdir test-project
cd test-project
npm init
npm install sax
npm install example
  2. run analyze and evaluate phase:

evaluation-result.yml:

    - id: "NPM::example:0.0.11"
      purl: "pkg:npm/example@0.0.11"
      authors:
      - "mail"
      declared_licenses:
      - "ISC"
      declared_licenses_processed:
        spdx_expression: "ISC"
      description: "Hello NPM"
      homepage_url: ""
      binary_artifact:
        url: ""
        hash:
          value: ""
          algorithm: ""
      source_artifact:
        url: "https://repo.mycompany.de/npm-repo/example/-/example-0.0.11.tgz"
        hash:
          value: "40946e16be36bc97fed1e24d406359a52caf3211"
          algorithm: "SHA-1"
      vcs:
        type: ""
        url: ""
        revision: ""
        path: ""
      vcs_processed:
        type: ""
        url: ""
        revision: ""
        path: ""
    dependency_graphs:
      NPM:
        packages:
        - "NPM::acorn:8.12.1"
        - "NPM::aria-query:5.3.0"
        - "NPM::axobject-query:4.0.0"
        - "NPM::example:0.0.11"
  1. run report phase 
    07:38:30.137 [main] DEBUG org.ossreviewtoolkit.cli.OrtMain - Used command line arguments: [--debug, report, --report-formats, WebApp,CycloneDx,PlainTextTemplate, --report-option, CycloneDX=output.file.formats=XML,JSON ...

    SBOM files are empty.

BTW: Setting the concluded_license for a company dependency without a defined license (="NONE"), the SBOM files gets generated with content - but not for a company dependency with a defined license as above.

Expected behavior

SBOM files have content like with ORT v22.5 - I think the bug comes with v22.6.

Console / log output

Successfully created 'CycloneDx' report(s) at '/builds/mycompany/compliance/license-scanning/output/bom.cyclonedx.xml', '/builds/mycompany/compliance/license-scanning/output/bom.cyclonedx.json' in 156.024981ms.

Environment

Output of the ort requirements command:

/        \_______   \__    ___/ The OSS Review Toolkit, version 25.0.0,        
|    |   | |       _/ |    |    built with JDK 11.0.23+9, running under Java 17
|    |   | |    |   \ |    |    Executing 'requirements' as 'ort' on Linux     
\________/ |____|___/ |____|    with 8 CPUs and a maximum of 8192 MiB of memory

Environment variables:                                                        
ORT_CONFIG_DIR = /home/ort/.ort/config                                        
ORT_DATA_DIR = /builds/dvelop/compliance/license-scanning/.ort                
HOME = /home/ort                                                              
JAVA_HOME = /opt/java/openjdk                                                 
ANDROID_HOME = /opt/android-sdk                                               

Looking for ORT configuration in the following file:
        /home/ort/.ort/config/config.yml

AdviceProviderFactory plugins:
        * GitHubDefects
        * NexusIQ
        * OssIndex
        * OSV
        * VulnerableCode

OrtCommand plugins:
        * advise
        * analyze
        * compare
        * config
        * download
        * evaluate
        * migrate
        * notify
        * report
        * requirements
        * scan
        * upload-curations
        * upload-result-to-postgres
        * upload-result-to-sw360

PackageConfigurationProviderFactory plugins:
        * DefaultDir
        * Dir
        * DOS
        * OrtConfig

PackageCurationProviderFactory plugins:
        * ClearlyDefined
        * DefaultDir
        * DefaultFile
        * File
        * OrtConfig
        * SW360

PackageManagerFactory plugins:
        * Bazel
        * Bower
        * Bundler
        * Cargo
        * Carthage
        * CocoaPods
        * Composer
        * Conan
        * GoMod
        * Gradle
        * GradleInspector
        * Maven
        * NPM
        * NuGet
        * PIP
        * Pipenv
        * PNPM
        * Poetry
        * Pub
        * SBT
        * SpdxDocumentFile
        * Stack
        * SwiftPM
        * Unmanaged
        * Yarn
        * Yarn2

Reporter plugins:
        * CtrlXAutomation
        * CycloneDx
        * DocBookTemplate
        * EvaluatedModel
        * FossId
        * FossIdSnippet
        * GitLabLicenseModel
        * HtmlTemplate
        * ManPageTemplate
        * Opossum
        * PdfTemplate
        * PlainTextTemplate
        * SpdxDocument
        * StaticHtml
        * TrustSource
        * WebApp

ScannerWrapperFactory plugins:
        * Askalono
        * BoyterLc
        * DOS
        * FossId
        * Licensee
        * ScanCode
        * SCANOSS

VersionControlSystem plugins:
        * Git
        * GitRepo
        * Mercurial
        * Subversion

Scanners:
        - Askalono: Requires 'askalono' in no specific version. Tool not found.
        - BoyterLc: Requires 'lc' in no specific version. Tool not found.
        - Licensee: Requires 'licensee' in no specific version. Tool not found.
        * ScanCode: Requires 'scancode' in version >=3.0.0. Found version 32.1.0.

PackageManagers:
        * Bazel: Requires 'bazel' in version >=7.0.0. Found version 7.0.1.
        * Bower: Requires 'bower' in version >=1.8.8. Found version 1.8.14.
        * Cargo: Requires 'cargo' in no specific version. Found version 1.72.0.
        * CocoaPods: Requires 'pod' in version >=1.11.0. Found version 1.15.2.
        * Composer: Requires 'composer' in version >=1.5.0. Found version 2.2.24.
        * Conan: Requires 'conan' in version >=1.44.0 and <2.0.0. Found version 1.64.1.
        * GoMod: Requires 'go' in version >=1.21.1. Found version 1.22.2.
        * Npm: Requires 'npm' in version >=6.0.0 and <11.0.0. Found version 10.7.0.
        + NuGetInspector: Requires 'nuget-inspector' in no specific version. Could not determine the version.
        * Pipenv: Requires 'pipenv' in version >=2018.10.9. Found version 2023.12.1.
        * Pnpm: Requires 'pnpm' in version >=5.0.0 and <10.0.0. Found version 9.2.0.
        * Poetry: Requires 'poetry' in no specific version. Found version 1.8.3.
        * Pub: Requires 'dart' in version >=2.10.0. Found version 2.18.4.
        * PythonInspector: Requires 'python-inspector' in version >=0.9.2. Found version 0.10.0.
        * Sbt: Requires 'sbt' in version >=0.13.0. Found version 1.10.0.
        * Stack: Requires 'stack' in version >=2.1.1. Found version 2.15.7.
        * SwiftPm: Requires 'swift' in no specific version. Found version 5.9.2.
        * Yarn: Requires 'yarn' in version >=1.3.0 and <1.23.0. Found version 1.22.19.

VersionControlSystems:
        * Git: Requires 'git' in version >=2.29.0. Found version 2.34.1.
        * GitRepo: Requires 'repo' in no specific version. Found version 2.45 (launcher).
        * Mercurial: Requires 'hg' in no specific version. Found version 6.7.3.

Prefix legend:
        - The tool was not found in the PATH environment.
        + The tool was found in the PATH environment, but not in the required version.
        * The tool was found in the PATH environment in the required version.

ScanCode license texts not found.

And specify (relevant parts of) your ORT configuration (config.yml):

...
sschuberth commented 2 months ago

I can't reproduce this with current ORT main. Analyzing https://github.com/oss-review-toolkit/ort-test-data-npm gives bom.cyclonedx.zip, which looks ok (and definitely is non-empty).

sschuberth commented 2 months ago

I think the bug comes with v22.6.

What makes you believe so if you only tried version 22.8?

Edit: Anyway, indeed ORT 22.6 is the version where we switched from CycloneDX Java library major version 8 to 9. But our tests pass(ed).

sschuberth commented 2 months ago

As @nnobelis noted on Slack, this could be related to https://github.com/CycloneDX/cyclonedx-core-java/issues/439.

mawl commented 2 months ago

Nice to read that you are on the right track. I could reproduce the bug with ort cli 26.0.0. If it helps, I can attach my used evaluation-result.yml here.

sschuberth commented 2 months ago

What would help more is if you could verify that https://github.com/oss-review-toolkit/ort/pull/8882 fixes the issue for you, @mawl.

mawl commented 2 months ago

@sschuberth, I have tested it with your ghcr.io/oss-review-toolkit/ort:main image.

xml format is generated now, but json leads to an exception and stays empty.

10:06:21.845 [DefaultDispatcher-worker-3] ERROR org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporter - Unable to create CycloneDX report: 
java.lang.NullPointerException: Cannot invoke "org.cyclonedx.model.LicenseChoice.getLicenses()" because the return value of "org.cyclonedx.model.Component.getLicenses()" is null
    at org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporterKt.generateBom(CycloneDxReporter.kt:409)
    at org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporterKt.access$generateBom(CycloneDxReporter.kt:1)
    at org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporter.writeBom(CycloneDxReporter.kt:374)
    at org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporter.generateReport(CycloneDxReporter.kt:216)
    at org.ossreviewtoolkit.plugins.commands.reporter.ReporterCommand$run$reportDurationMap$1$1$1$1.invokeSuspend(ReporterCommand.kt:292)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:811)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:715)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:702)
Successfully created 'CycloneDx' report(s) at '/builds/mycompany/compliance/license-scanning/output/bom.cyclonedx.xml' in 242.041734ms.
sschuberth commented 2 months ago

xml format is generated now, but json leads to an exception and stays empty.

Thanks for checking @mawl, please try again with https://github.com/oss-review-toolkit/ort/pull/8889.

mawl commented 2 months ago

xml format is generated now, but json leads to an exception and stays empty.

Thanks for checking @mawl, please try again with #8889.

This fixes it. Thanks a lot.