search

spdx / cdx2spdx

Utility that converts SBOM documents from CycloneDX to SPDX
Apache License 2.0
29 stars 9 forks source link

Converting Errors #11

Closed sdd4181 closed 2 years ago

sdd4181 commented 2 years ago

I went through the documented setup, and running ./mvnw clean package succeeds. When trying to run the spdxcyclone I am getting issues.

I am running this on a windows vm with jdk 11.0.15, and I'm running spdxcyclone-0.0.1-SNAPSHOT-jar-with-dependencies.jar because all others exit with no main manifest attribute. I run this jar file identically to the usage command java -jar spdxcyclone-0.0.1-SNAPSHOT-jar-with-dependencies.jar ./cyclonedx.json ./spdx.json and get the following error.

Thank you for any help you can provide!

11:52:33.229 [main] ERROR org.spdx.jacksonstore.JacksonSerializer - Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar.  Must be an SPDX Identifier or Anonymous
Exception in thread "main" java.lang.RuntimeException: org.spdx.library.InvalidSPDXAnalysisException: Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar.  Must be an SPDX Identifier or Anonymous
        at org.spdx.jacksonstore.JacksonSerializer.lambda$1(JacksonSerializer.java:245)
        at java.base/java.util.stream.ReduceOps$4ReducingSink.accept(ReduceOps.java:220)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:589)
        at org.spdx.jacksonstore.JacksonSerializer.getDocElements(JacksonSerializer.java:240)
        at org.spdx.jacksonstore.JacksonSerializer.docToJsonNode(JacksonSerializer.java:117)
        at org.spdx.jacksonstore.MultiFormatStore.serialize(MultiFormatStore.java:166)
        at com.sourceauditor.spdxcyclone.CycloneToSpdx.cycloneDxToSpdx(CycloneToSpdx.java:278)
        at com.sourceauditor.spdxcyclone.CycloneToSpdx.main(CycloneToSpdx.java:218)
Caused by: org.spdx.library.InvalidSPDXAnalysisException: Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar.  Must be an SPDX Identifier or Anonymous
        at org.spdx.jacksonstore.JacksonSerializer.typedValueToObjectNode(JacksonSerializer.java:178)
        at org.spdx.jacksonstore.JacksonSerializer.lambda$1(JacksonSerializer.java:243)
        ... 12 more
goneall commented 2 years ago

@sdd4181 I added PR #12 to improve the README for running the correct JAR file.

goneall commented 2 years ago

@sdd4181 Can you attached the cyclonedx.json file you are trying to convert?

sdd4181 commented 2 years ago

It wouldn't let me send json file formats so I zipped the 3 files I used and attached them below. cycloneSBOM.zip

goneall commented 2 years ago

@sdd4181 I was able to duplicate this translating the file dubboMavenSBOMCycloneDX.json. Definitely an issue with this utility or one of the library dependencies.

I'll do some investigating over the next few days and update the issue.

sdd4181 commented 2 years ago

ok, thank you for your help!