Closed mawl closed 2 months ago
I can't reproduce this with current ORT main
. Analyzing https://github.com/oss-review-toolkit/ort-test-data-npm gives bom.cyclonedx.zip, which looks ok (and definitely is non-empty).
I think the bug comes with v22.6.
What makes you believe so if you only tried version 22.8?
Edit: Anyway, indeed ORT 22.6 is the version where we switched from CycloneDX Java library major version 8 to 9. But our tests pass(ed).
As @nnobelis noted on Slack, this could be related to https://github.com/CycloneDX/cyclonedx-core-java/issues/439.
Nice to read that you are on the right track. I could reproduce the bug with ort cli 26.0.0. If it helps, I can attach my used evaluation-result.yml here.
What would help more is if you could verify that https://github.com/oss-review-toolkit/ort/pull/8882 fixes the issue for you, @mawl.
@sschuberth, I have tested it with your ghcr.io/oss-review-toolkit/ort:main image.
xml format is generated now, but json leads to an exception and stays empty.
10:06:21.845 [DefaultDispatcher-worker-3] ERROR org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporter - Unable to create CycloneDX report:
java.lang.NullPointerException: Cannot invoke "org.cyclonedx.model.LicenseChoice.getLicenses()" because the return value of "org.cyclonedx.model.Component.getLicenses()" is null
at org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporterKt.generateBom(CycloneDxReporter.kt:409)
at org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporterKt.access$generateBom(CycloneDxReporter.kt:1)
at org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporter.writeBom(CycloneDxReporter.kt:374)
at org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporter.generateReport(CycloneDxReporter.kt:216)
at org.ossreviewtoolkit.plugins.commands.reporter.ReporterCommand$run$reportDurationMap$1$1$1$1.invokeSuspend(ReporterCommand.kt:292)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:811)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:715)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:702)
Successfully created 'CycloneDx' report(s) at '/builds/mycompany/compliance/license-scanning/output/bom.cyclonedx.xml' in 242.041734ms.
xml format is generated now, but json leads to an exception and stays empty.
Thanks for checking @mawl, please try again with https://github.com/oss-review-toolkit/ort/pull/8889.
xml format is generated now, but json leads to an exception and stays empty.
Thanks for checking @mawl, please try again with #8889.
This fixes it. Thanks a lot.
Describe the bug
Since Upgrading to ORT v22.8, SBOM files are empty for NPM (and NuGet) projects. This happens silently, no exit code is thrown.
To Reproduce
Create a NPM Project and install official and company dependencies, all proxied by a repo manager. The resulting ORT report is empty for CycloneDX JSON and XML files.
Steps to reproduce the behavior:
evaluation-result.yml:
SBOM files are empty.
BTW: Setting the concluded_license for a company dependency without a defined license (="NONE"), the SBOM files gets generated with content - but not for a company dependency with a defined license as above.
Expected behavior
SBOM files have content like with ORT v22.5 - I think the bug comes with v22.6.
Console / log output
Environment
Output of the
ort requirements
command:And specify (relevant parts of) your ORT configuration (
config.yml
):