Open ZombieNub opened 1 year ago
Thanks, @ZombieNub! We really appreciate this bug report. This does indeed sound like a big problem. Did we mention this project is new? 😓
We'll investigate and get back to you. Thank you, again!
Hi @ZombieNub:
First, thank you again for reporting a bug and opening an issue. This is the first issue from someone that is not a member of one of the cohort companies. So this is awesome! Keep it up! The more bugs reported, the merrier. And PRs always welcome too.
I did some investigation. And thanks to @houdini91, @manifestori and @puerco for some behinds the scenes debugging. (There's a slack for this project, currently only open to relevant DHS staff and staff from the seven companies from this project. Feel free to drop in there for quicker, more interactive feedback. Though I personally like GitHub issues more! :) )
So, first I am using a macbook (not Windows) and I am using the code at head (commit 9cc9bea501d0d9dd81165c6a6bd54488785ea7bc). I am also not using the command .\go-cli.exe
since this project is now named sbom-convert
. Given these caveats, I am not able to replicate this bug.
I used one of the JSON files you identified: 0x59616e_SteinsOS_syft_spdx.json.txt (I had to add .txt to the end of the file because the GitHub UI does not allow me to drag and drop a JSON document directly into the comment box. Apologies.)
I used these steps:
git clone https://github.com/bom-squad/sbom-convert.git
Then I moved into the sbom-convert folder:
cd sbom-convert
I then used go run
to both compile and run the binary.
For example:
go run .
But I actually run the commands like this:
go run . 0x59616e_SteinsOS_syft_spdx.json.txt > 0x59616e_SteinsOS_converted_cdx.json
In this conversion from an SPDX to a CycloneDX document, I get non-blank output, just like the steps you describe above. This is the output I get: 0x59616e_SteinsOS_converted_cdx.json.txt (I again added a .txt to the end of the document because of the GitHub UI's inability to ingest a JSON document in the comment box.)
I then did a second conversion:
go run . 0x59616e_SteinsOS_converted_cdx.json.txt > double_converted_back_to_spdx.json
And I got a non-blank file: double_converted_back_to_spdx.json.txt
And I would say it looks "similar" to the original SPDX document. Though this project probably admittedly needs a more formal definition of similar :)
In conclusion, I personally can't replicate the bug. I'm sorry. Would you be willing to report the version of windows you're using, the version of Go you're using, and the version of sbom-convert
you're using and how you installed it?
I do have a Windows machine that I occasionally use that I could probably find and I could try to replicate it with the same versions you have. Additionally, if you want to pair program some time, that might be an effective to get to the root of the problem together! Again, thanks for the bug. I look forward to figuring this out together!
Details of my machine and software
Version of sbom-convert
: 9cc9bea501d0d9dd81165c6a6bd54488785ea7bc
Go version: go1.20.7
Chip: Apple M1 Pro
OS: macOS 13.5 (22G74)
Hi @jspeed-meyers,
Sorry for the late response. I did more testing and found the source of the error may be due to the file name.
I found that converting the files using the -o option properly named the file to end in either spdx or cdx, allowing the repeat conversion to recognize the file format. When this is not done, like with redirecting the contents to a file which does not end in spdx or cdx, the command cannot infer the file type and exits immediately. I believe this is why the error only occurred when I named the output file result.json
since it did not end in spdx or cdx.
I admit this error occurred due to my unfamiliarity with the spdx and cdx file formats, and I did not know that the file required ending in spdx or cdx in order for the conversion to work. Maybe the error message should state that the file must end in spdx or cdx?
Thank you for looking over this issue.
Details of my machine and software
Version of sbom-convert
: 9cc9bea501d0d9dd81165c6a6bd54488785ea7bc
Go version: go1.21.0
Chip: Intel (R) Core(TM) 07-10870H CPU
OS: Windows 11
Thank you for looking over this issue.
Anytime! Keep the bug reports coming.
Maybe the error message should state that the file must end in spdx or cdx?
Indeed. That does sound like a problem. @manifestori and @houdini91: how does the code recognize file format right now? Is that being handled by protobom
? By sbom-convert
? Does the error message and/or documentation need to make clear the naming conventions for file formats in order to avoid the above problem?
@ZombieNub Thank you for your feedback, I believe that "auto-healing" output names wasn't a great decision on my behalf. Since we would never default into a file output, prioritize stdout over it. We should trust the user's input for the filename, perhaps only warn (if verbose is on) when a file does not comply with file patterns.
For example, output an SBOM encoded to JSON into a file without the .json extension.
See those for "accepted filename patterns" https://cyclonedx.org/specification/overview/#recognized-file-patterns https://github.com/spdx/spdx-spec/blob/development/v2.3/examples/SPDXRdfExample-v2.2.spdx.rdf.xml
@jspeed-meyers This is done by sbom-convert
, and I would address this for the upcoming release.
Sorry for the delay, I will submit a fix for this really soon <3 I will update ASAP
When attempting to convert a file twice in a row, the resulting file is blank. The file after the first conversion is not blank. This error occurs with spdx and cyclonedx files.
What should happen: The resulting file should be similar to the original file and follow the same format.
Steps to reproduce:
.\go-cli.exe .\<FILENAME> | .\go-cli.exe > result.json
.result.json
should be blank.Alternative:
.\go-cli.exe .\<FILENAME> intermediate.json
..\go-cli.exe .\intermediate.json > result.json
.result.json
should be blank.I've tested this with three example SBOM files:
0x59616e_SteinsOS_syft_spdx.json
,0x727_ObserverWard_syft_spdx.json
, and1amageek_Ballcap-iOS_syft_cyclonedx.json
. These are pre-generated SBOMs that can be found here.