Unable to create SBOM with CDXGen 11

[emcfins]

Hello,

I'm attemping to create an SBOM for an open source project (https://github.com/aws-solutions/connected-mobility-solution-on-aws for example) with the latest version of CDXGen and no SBOM is being generated.

When I use version 10 (specific version currently 10.2.6), the SBOM is generated.

Command used:

CDXGEN_DEBUG_MODE=debug FETCH_LICENSE=true cdxgen -t universal --spec-version 1.5 -o bom-1.5.json

No error is output, just returns to a prompt and no file is generated.

[prabhu]

Does it work without -t universal? We re-worked the logic for type detection a few times, so it could be a casualty.

[prabhu]

For me, it runs with -t universal but fails with a validation error at the end.

node /Volumes/Work/CycloneDX/cdxgen/bin/cdxgen.js -o bom.json -t universal --spec-version 1.5 .
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/vpc/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_vehicle_simulator/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_sample/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_provisioning/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_predictive_maintenance/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_fleetwise_connector/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_ev_battery_health/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_connect_store/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_config/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_auth/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_api/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_alerts/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/auth_setup/mkdocs.yml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/vpc/source/template.yaml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/vpc/source/samples/transit-gateway/transit-gateway.template.yaml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/vpc/source/samples/transit-gateway/transit-gateway-routes.template.yaml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_predictive_maintenance/source/config.yaml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/docker-compose.yaml
Images identified in /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/docker-compose.yaml are [ { service: 'db' }, { image: 'postgres:14.1-alpine' } ]
Parsing image postgres:14.1-alpine
Ensure Rancher Desktop is running prior to invoking cdxgen. To start from the command line, type the command 'rdctl start'
Unable to pull postgres:14.1-alpine. Check if the name is valid. Perform any authentication prior to invoking cdxgen.
Try manually pulling this image using docker pull postgres:14.1-alpine
postgres:14.1-alpine doesn't appear to be a valid container image.
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/app-config.yaml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/app-config.production.yaml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/app-config.local.yaml
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/packages/backend/Dockerfile
Images identified in /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/packages/backend/Dockerfile are [ { image: 'public.ecr.aws/docker/library/node:18.20-bullseye-slim' } ]
Parsing image public.ecr.aws/docker/library/node:18.20-bullseye-slim
Unable to pull public.ecr.aws/docker/library/node:18.20-bullseye-slim. Check if the name is valid. Perform any authentication prior to invoking cdxgen.
Try manually pulling this image using docker pull public.ecr.aws/docker/library/node:18.20-bullseye-slim
public.ecr.aws/docker/library/node:18.20-bullseye-slim doesn't appear to be a valid container image.
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_predictive_maintenance/source/handlers/agent_action_group/function/openapi.json
Scanning .
Performing babel-based package usage analysis with source code at .
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_vehicle_simulator/source/console/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_vehicle_simulator/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_sample/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_provisioning/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_predictive_maintenance/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_fleetwise_connector/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_ev_battery_health/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_connect_store/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_config/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_auth/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_api/deployment/postman_collection/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_api/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/cms_alerts/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/cdk/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/auth_setup/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/acdp/deployment/cdk-solution-helper/package-lock.json
Parsing /Volumes/Work/sandbox/connected-mobility-solution-on-aws/source/modules/backstage/yarn.lock
Found 4095 npm packages at .
Found 61 python packages at .
Obtained 4156 components and 4098 dependencies after dedupe.
Received 4158 unfiltered components 4098 dependencies so far.
Obtained 4158 components and 4098 dependencies after dedupe.
Schema validation failed for cms-vehicle-simulator-console
[
  {
    instancePath: '/components/2',
    schemaPath: '#/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'authors' },
    message: 'must NOT have additional properties',
    schema: false,
    parentSchema: {
      type: 'object',
      title: 'Component Object',
      required: [Array],
      additionalProperties: false,
      properties: [Object]
    },
    data: {
      author: undefined,
      authors: undefined,
      publisher: undefined,
      group: '@aws-amplify',
      name: 'api',
      version: '5.4.16',
      description: undefined,
      scope: 'required',
      hashes: [Array],
      licenses: undefined,
      purl: 'pkg:npm/%40aws-amplify/[email protected]',
      type: 'library',
      'bom-ref': 'pkg:npm/@aws-amplify/[email protected]',
      properties: [Array]
    }
  }
]

[emcfins]

Interesting - how are you running it? I'm running in Codebuild on AWS and it looks like it just ends.

{
  group: '@com.cms.fleetmanagement',
  name: 'api-client',
  version: '0.0.0',
  _integrity: '',
  purl: 'pkg:npm/%40com.cms.fleetmanagement/[email protected]',
  'bom-ref': 'pkg:npm/@com.cms.fleetmanagement/[email protected]',
  properties: [
    {
      name: 'SrcFile',
      value: '/codebuild/output/src167746040/src/source/modules/cms_ui/source/frontend/yarn.lock'
    }
  ],
  evidence: { identity: { field: 'purl', confidence: 1, methods: [Array] } }
} was not found on npm
Parsing /codebuild/output/src167746040/src/source/modules/cms_ui/source/frontend/smithy-build/yarn.lock
About to fetch license information for 120 packages in parseYarnLock
Parsing /codebuild/output/src167746040/src/source/modules/cms_ui/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_sample/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_provisioning/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_predictive_maintenance/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_fleetwise_connector/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_ev_battery_health/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_connect_store/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_config/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_auth/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_api/deployment/postman_collection/yarn.lock
About to fetch license information for 113 packages in parseYarnLock
Parsing /codebuild/output/src167746040/src/source/modules/cms_api/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/cms_alerts/deployment/cdk-solution-helper/yarn.lock
Parsing /codebuild/output/src167746040/src/source/modules/backstage/yarn.lock
About to fetch license information for 3254 packages in parseYarnLock
[Container] 2025/01/08 15:42:10.221084 Running command <snip>

I'll try it again.

As for the validation error you're getting, is there a way around it?

[emcfins]

From looking at your command I saw what was going on - I was missing the final . in the command so it became:

CDXGEN_DEBUG_MODE=debug FETCH_LICENSE=true cdxgen -t universal --spec-version 1.5 -o bom.json .

Once I did that, it ran but I'm also getting a validation error - different from what you found:

Obtained 4846 components and 4593 dependencies after dedupe.
Received 5245 unfiltered components 4593 dependencies so far.
Obtained 5134 components and 4593 dependencies after dedupe.
Schema validation failed for cms-vehicle-simulator-console
[
  {
    instancePath: '/components/206',
    schemaPath: '#/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'authors' },
    message: 'must NOT have additional properties',
    schema: false,
    parentSchema: {
      type: 'object',
      title: 'Component Object',
      required: [Array],
      additionalProperties: false,
      properties: [Object]
    },
    data: {
      author: 'GitHub Inc.',
      authors: undefined,
      publisher: undefined,
      group: '',
      name: 'npm',
      version: '10.8.2',
      description: 'a package manager for JavaScript',
      scope: undefined,
      licenses: [Array],
      purl: 'pkg:npm/[email protected]',
      externalReferences: [Array],
      type: 'library',
      'bom-ref': 'pkg:npm/[email protected]',
      properties: [Array]
    }
  }
]

[prabhu]

That validation error is incorrect. Since authors attribute is undefined, it will get removed before being dumped to the file. We have the below logic, but it is escaping it somehow.

cdxgen/lib/cli/index.js

Line 937 in 0f1a142

delete component.authors;

Can you help investigate and find the place that is introducing the authors?

[emcfins]

I can see what I can find and report back.

Funny (or not?) enough, my runs are failing the same way as my initial report said - but it’s intermittent.

[emcfins]

I'm not quite at the bottom of what the root cause of either issue but this is what I know so far.

For the just stopping with out error issue I'm running into, it has something to do with fetching the license for the
https://api.github.com/repos/cowboy/node-exit package but haven't quite figured out WHAT about that is causing it to fail silently but it's pretty consistently stopping at that package.

For the validation error, it's because the specVersion isn't included in the options sent for that package (it's from a docker image, not sure if that matters).

The options passed to the addComponent function for the pkg:npm/[email protected] package are:

{
  "projectType": [
    "oci"
  ],
  "multiProject": true,
  "installDeps": false,
  "path": "public.ecr.aws/docker/library/node:18.20-bullseye-slim",
  "parentComponent": {},
  "exportData": {
    "inspectData": {
      "Id": "sha256:ff88d1409ac9cbe3186174cca0a949308f77a419d3411024e2b4e84f980f1246",
      "RepoTags": [
        "public.ecr.aws/docker/library/node:18.20-bullseye-slim"
      ],
      "RepoDigests": [
        "public.ecr.aws/docker/library/node@sha256:5f3ae2bd02f4f4dd2e886c42de4c5856fb99dab6b36edd4e8064983db42fd8fc"
      ],
      "Parent": "",
      "Comment": "buildkit.dockerfile.v0",
      "Created": "2024-11-15T23:05:18Z",
      "DockerVersion": "",
      "Author": "",
      "Config": {
        "Hostname": "",
        "Domainname": "",
        "User": "",
        "AttachStdin": false,
        "AttachStdout": false,
        "AttachStderr": false,
        "Tty": false,
        "OpenStdin": false,
        "StdinOnce": false,
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "NODE_VERSION=18.20.5",
          "YARN_VERSION=1.22.22"
        ],
        "Cmd": [
          "node"
        ],
        "Image": "",
        "Volumes": null,
        "WorkingDir": "",
        "Entrypoint": [
          "docker-entrypoint.sh"
        ],
        "OnBuild": null,
        "Labels": null
      },
      "Architecture": "arm64",
      "Variant": "v8",
      "Os": "linux",
      "Size": 192281593,
      "GraphDriver": {
        "Data": {
          "LowerDir": "/var/lib/docker/overlay2/75cd24386b60fe77b48b08ad5087e9b1688ea96cef05b888ce8ad92efd74a0fb/diff:/var/lib/docker/overlay2/6f21ffbcb0d003546684a70f5947f120d2b8a8b0b09fbd181be62c7123ec52eb/diff:/var/lib/docker/overlay2/d5c0ac1e6be8c636a220e745ee7a6c411ef259631acdb876fef3c98d45df0c66/diff:/var/lib/docker/overlay2/cef7014313eaa6356b4dc5c418a0bee73003e6a5c040bf31ee6f7722d364ff35/diff",
          "MergedDir": "/var/lib/docker/overlay2/60cc3194a96a52745518fb8a33adf34033f62f19c5007ca34aed1a311ad24801/merged",
          "UpperDir": "/var/lib/docker/overlay2/60cc3194a96a52745518fb8a33adf34033f62f19c5007ca34aed1a311ad24801/diff",
          "WorkDir": "/var/lib/docker/overlay2/60cc3194a96a52745518fb8a33adf34033f62f19c5007ca34aed1a311ad24801/work"
        },
        "Name": "overlay2"
      },
      "RootFS": {
        "Type": "layers",
        "Layers": [
          "sha256:ff80ec55a37609daeaf3d3843aa8105f6c6b18984cf42badda290363444bdef3",
          "sha256:e71558f9e3c53b576de3e32837c2aaaebaf4338c93180bad83ff1a5991848e21",
          "sha256:f15431b9f121cd58d5aebea5098d3f0638a97b3711dd8a43cd795da43acfffe0",
          "sha256:d90cc8aa5a94bc516e5a9971c27e3017c4e0e7f5388c9e425623c0f78e892b84",
          "sha256:48657769e4a3b1ff65b621f217c6d77b9b7e1ab34952d7424df5cb95041a0819"
        ]
      },
      "Metadata": {
        "LastTagTime": "0001-01-01T00:00:00Z"
      }
    },
    "manifest": [
      {
        "Config": "blobs/sha256/ff88d1409ac9cbe3186174cca0a949308f77a419d3411024e2b4e84f980f1246",
        "RepoTags": [
          "public.ecr.aws/docker/library/node:18.20-bullseye-slim"
        ],
        "Layers": [
          "blobs/sha256/ff80ec55a37609daeaf3d3843aa8105f6c6b18984cf42badda290363444bdef3",
          "blobs/sha256/e71558f9e3c53b576de3e32837c2aaaebaf4338c93180bad83ff1a5991848e21",
          "blobs/sha256/f15431b9f121cd58d5aebea5098d3f0638a97b3711dd8a43cd795da43acfffe0",
          "blobs/sha256/d90cc8aa5a94bc516e5a9971c27e3017c4e0e7f5388c9e425623c0f78e892b84",
          "blobs/sha256/48657769e4a3b1ff65b621f217c6d77b9b7e1ab34952d7424df5cb95041a0819"
        ],
        "LayerSources": {
          "sha256:48657769e4a3b1ff65b621f217c6d77b9b7e1ab34952d7424df5cb95041a0819": {
            "mediaType": "application/vnd.oci.image.layer.v1.tar",
            "size": 3584,
            "digest": "sha256:48657769e4a3b1ff65b621f217c6d77b9b7e1ab34952d7424df5cb95041a0819"
          },
          "sha256:d90cc8aa5a94bc516e5a9971c27e3017c4e0e7f5388c9e425623c0f78e892b84": {
            "mediaType": "application/vnd.oci.image.layer.v1.tar",
            "size": 7270400,
            "digest": "sha256:d90cc8aa5a94bc516e5a9971c27e3017c4e0e7f5388c9e425623c0f78e892b84"
          },
          "sha256:e71558f9e3c53b576de3e32837c2aaaebaf4338c93180bad83ff1a5991848e21": {
            "mediaType": "application/vnd.oci.image.layer.v1.tar",
            "size": 350208,
            "digest": "sha256:e71558f9e3c53b576de3e32837c2aaaebaf4338c93180bad83ff1a5991848e21"
          },
          "sha256:f15431b9f121cd58d5aebea5098d3f0638a97b3711dd8a43cd795da43acfffe0": {
            "mediaType": "application/vnd.oci.image.layer.v1.tar",
            "size": 112338944,
            "digest": "sha256:f15431b9f121cd58d5aebea5098d3f0638a97b3711dd8a43cd795da43acfffe0"
          },
          "sha256:ff80ec55a37609daeaf3d3843aa8105f6c6b18984cf42badda290363444bdef3": {
            "mediaType": "application/vnd.oci.image.layer.v1.tar",
            "size": 78080000,
            "digest": "sha256:ff80ec55a37609daeaf3d3843aa8105f6c6b18984cf42badda290363444bdef3"
          }
        }
      }
    ],
    "allLayersDir": "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh",
    "allLayersExplodedDir": "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers",
    "lastLayerConfig": {},
    "lastWorkingDir": "",
    "pkgPathList": [
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/usr/local/go",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/usr/local/lib",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/usr/local/lib64",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/opt",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/home",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/usr/share",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/usr/src",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/var/www/html",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/var/lib",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/mnt",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/usr/lib",
      "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers/usr/lib64"
    ]
  },
  "lastWorkingDir": "",
  "allLayersExplodedDir": "/var/folders/ql/tpm1cdw13bq5vdxgzchnyx0r0000gr/T/docker-images-HxDBVh/all-layers",
  "createMultiXBom": true,
  "allOSComponentTypes": [
    "bullseye",
    "deb",
    "debian",
    "debian-11"
  ],
  "exclude": [
    "**/vendor/**"
  ]
}

Since the version is missing, it's not true for the if statement if (options.specVersion < 1.6) because it's undefined and thus doesn't get removed.

[prabhu]

I think the below line needs to be improved to retain options such as specVersion.

cdxgen/lib/cli/index.js

Line 4865 in 0f1a142

const bomData = await createBom(img.image, {

[emcfins]

Changing the above function call this seems to resolve the problem for OCI packages but not for the NPM packages.

const bomData = await createBom(img.image, {
              ...options,
              projectType: ["oci"],
            });

Now, I no longer get the for the npm/npm package but now I do for the one you initially found.

Where sholud I look to try the same change?

[
  {
    instancePath: '/components/399',
    schemaPath: '#/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'authors' },
    message: 'must NOT have additional properties',
    schema: false,
    parentSchema: {
      type: 'object',
      title: 'Component Object',
      required: [Array],
      additionalProperties: false,
      properties: [Object]
    },
    data: {
      author: undefined,
      authors: undefined,
      publisher: undefined,
      group: '@aws-amplify',
      name: 'api',
      version: '5.4.16',
      description: undefined,
      scope: 'required',
      hashes: [Array],
      licenses: undefined,
      purl: 'pkg:npm/%40aws-amplify/[email protected]',
      type: 'library',
      'bom-ref': 'pkg:npm/@aws-amplify/[email protected]',
      properties: [Array]
    }
  }
]

[emcfins]

I think I found the other part for the validation issue!

I think this:

cdxgen/lib/cli/index.js

Line 4953 in 0f1a142

const mbomData = await createMultiXBom(path, {

Should be:

const mbomData = await createMultiXBom(path, {
      ...options,
      projectType: [],
      multiProject: true,
      excludeType: options.excludeType,
    });

Still have to dig deeper into the license issue

[prabhu]

Well done! Please share a pull request once you are happy.

[prabhu]

Regarding the problem being intermittent, in the past I have generated OBOMs for the build agents to ensure they have the exact packages and binaries needed for the build. It's easy to come up with simple env checks on top of the BOM json file. It's usually not needed for AWS codebuild unless the input image is likely to change frequently.

cdxgen -t os

[prabhu]

@emcfins could you test with the PR branch #1558 ?

[emcfins]

Happy to test this

…

On Tue, Jan 14, 2025 at 10:44 AM prabhu ***@***.***> wrote: @emcfins <https://github.com/emcfins> could you test with the PR branch #1558 <#1558> ? — Reply to this email directly, view it on GitHub <#1541 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACWKHYI2P6O4RLX3DFAEGH32KUWEFAVCNFSM6AAAAABU2JEGZWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJQGI4TCNBXGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[prabhu]

Thank you. Since it is merged, please test with the master branch.

[emcfins]

I'm testing this now with a few packages. I'm seeing this message that I'm not sure how to interpret it, any guidance would be great.

It's failing on schema validation but is creating an SBOM:

Schema validation failed for source
[
  {
    instancePath: '/components/870/evidence/identity',
    schemaPath: '#/properties/identity/type',
    keyword: 'type',
    params: { type: 'object' },
    message: 'must be object',
    schema: 'object',
    parentSchema: {
      type: 'object',
      description: 'Evidence that substantiates the identity of a component.',
      required: [Array],
      additionalProperties: false,
      properties: [Object]
    },
    data: [ [Object] ]
  }
]

When I look at sbom.components[869], this is the evidence for "purl": "pkg:npm/[email protected]":

  "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.7,
          "methods": [
            {
              "technique": "manifest-analysis",
              "confidence": 0.7,
              "value": "/tmp/docker-images-HJEBag/all-layers/usr/lib/node_modules/npm/package.json"
            }
          ]
        }
      }

In case the path index starts at 1, this is sbom.components[870] for "purl": "pkg:npm/[email protected]":

      "evidence": {
        "identity": [
          {
            "field": "purl",
            "confidence": 0.7,
            "methods": [
              {
                "technique": "manifest-analysis",
                "confidence": 0.7,
                "value": "/tmp/docker-images-HJEBag/all-layers/usr/lib/node_modules/npm/node_modules/yallist/package.json"
              },
              {
                "technique": "manifest-analysis",
                "confidence": 1,
                "value": "/codebuild/output/src2955025410/src/source/api-services/package-lock.json"
              }
            ]
          }
        ]
      }

[prabhu]

We must be missing the specVersion in another place.

evidence.identity is an array in 1.6, but object in 1.5.

870 is unfortunately an array, so would fail in 1.5 spec. This particular line is not executed, so specVersion must be missing.

[emcfins]

Ok - I'll look into it. Thank you!

[prabhu]

Maybe we should refactor and do these upgrades and downgrades in postgen?

[emcfins]

What does that mean for the code? I'll defer to you, I'm just along for the ride

[prabhu]

We have a lot of code in index.js to fix the data for the given spec version. All these things could be moved to postgen.

[emcfins]

Ok - I think I found it.
It's happening in this logic:

cdxgen/lib/cli/index.js

Line 6029 in 459dfe1

const identities = Array.isArray(comp.evidence.identity)

Being called from here

cdxgen/lib/cli/index.js

Line 6093 in 459dfe1

components = trimComponents(components);

Called from createContainerSpecLikeBom here:

cdxgen/lib/cli/index.js

Line 5078 in 459dfe1

return dedupeBom(options, components, parentComponent, dependencies);

What's the intended outcome?

[emcfins]

It looks like it's casting the evidence.identity to an Array, then iterating through it to add appropriate methods.

I was thinking that the boolean value of Array.isArray(comp.evidence.identity); could be saved as a variable then after the logic is completed, cast it back to an object with something like:

if (!isArray) {
          existingComponent.evidence = {
            identity: existingComponent.evidence.identity[0]
          };
        }

Do you think that would accomplish the goal of the logic here or am I missing something that could cause adverse effects elsewhere?

[prabhu]

Checking.

[emcfins]

I forked the repo and have a PR there to run the tests. The Reachables tests / ruby-samples (ubuntu-24.04) (pull_request) test failed. How can I run that locally to see what may be happening?

[prabhu]

Don't worry about that test. Possible it might work in CycloneDX org.