Closed Garbald closed 10 months ago
It seems the problem is just an uninitialized variable in download_sources.py. From line 96 on it should probably be:
result = None
source_url = CycloneDxSupport.get_ext_ref_source_url(component)
if source_url:
result = self.download_source_file(source_url, source_folder)
else:
print_red(" No URL specified!")
if result is not None:
Thanks for the detailed report, good catch! I will prepare a testcase for it and then submit the fix.
I used "bom downloadsources" to get the sources for my project. This reported:
Miglayout-swing, 5.3 URL = https://artifactory-internal.ct.daai.siemens.cloud/artifactory/siemens-virtual/com/miglayout/miglayout-swing/5.3/miglayout-swing-5.3-sources.jar Downloading file miglayout-swing-5.3-sources.jar jlfgr, 1.0 No URL specified! javax.mail, 1.6.2 URL = https://artifactory-internal.ct.daai.siemens.cloud/artifactory/siemens-virtual/com/sun/mail/javax.mail/1.6.2/javax.mail-1.6.2-sources.jar Downloading file javax.mail-1.6.2-sources.jar
It is ok to have no sources for jlfgr because this is only an archive of graphical look&feel-resources. The BOM update for the downloaded sources fails to handle the missing sources and inserts the previously seen sources instead:
{ "type": "library", "bom-ref": "pkg:maven/com.oracle/jlfgr@1.0?type=jar", "group": "com.oracle", "name": "jlfgr", "version": "1.0", "description": "POM was created by Sonatype Nexus", "purl": "pkg:maven/com.oracle/jlfgr@1.0?type=jar", "externalReferences": [ { "url": "./miglayout-swing-5.3-sources.jar", "comment": "source archive (local copy)", "type": "distribution", } ],
This is then wrongly uploaded to SW360 in a createcomponents/createreleases call.