-
-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to create SBOM for package-lock.json in server mode #1530
Comments
Any errors when you set the CDXGEN_DEBUG_MODE=debug in server mode? Also, are you running cdxgen against the full source code of the application? |
Hi @prabhu thanks for responding
cdxgen --version |
No idea. Can you upgrade and try with the latest version? |
Hi @prabhu - you mean for the server mode? Yes same thing.. Could I send the package-lock.json if you could try from your end. |
Like I said, cdxgen requires full source code not just the lock file. Running the latest v11 version with CDXGEN_DEBUG_MODE=debug environment variable will show the exact error as well. |
@prabhu - thanks for the response.. I noticed that the same file is able to generate in 8.6.0 but not in latest.. But anyways for now I downgraded and make it work. Out of curiosity - why SBOM generation need full file - just dependancy list is not sufficient like (pom.xml, package.json etc) Is it for reachability analysis? |
Hi,
I am trying to create SBOM.json for node application. It generates an empty SBOM.. not sure what i am missing. Please guide what am i missing - I tried with all types as mentioned on the document - nodejs, npm , js , javascript
package-lock.json
curl --location --request POST 'http://127.0.0.1:9090/sbom?path=%2Fapp&type=js'
{ "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:33000064-9424-4c1b-aa8d-06ad5b6f1309", "version": 1, "metadata": { "timestamp": "2025-01-06T04:59:37Z", "tools": { "components": [ { "group": "@cyclonedx", "name": "cdxgen", "version": "11.0.9", "purl": "pkg:npm/%40cyclonedx/[email protected]", "type": "application", "bom-ref": "pkg:npm/@cyclonedx/[email protected]", "publisher": "OWASP Foundation", "authors": [ { "name": "OWASP Foundation" } ] } ] }, "authors": [ { "name": "OWASP Foundation" } ], "lifecycles": [ { "phase": "build" } ], "component": { "group": "", "name": "jsforwp-blocks", "version": "2.0.0", "type": "application", "purl": "pkg:npm/[email protected]", "bom-ref": "pkg:npm/[email protected]" }, "properties": [] }, "components": [], "dependencies": [ { "ref": "pkg:npm/[email protected]", "dependsOn": [] } ], "annotations": [] }
I am able to generate for dockerfile, java (pom.xm) and python.
docker command - docker run -v /cdxgen/tmp:/tmp -e CDXGEN_DEBUG_MODE=debug -p 9090:9090 -v /cdxgen:/app:rw -itd ghcr.io/cyclonedx/cdxgen:v11.0.9 -r /app --server --server-host 0.0.0.0
I noticed it when i use CLI mode it is working if I pass type as "js"
cdxgen -r -o bom.json -t js .
The text was updated successfully, but these errors were encountered: