Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot output SBOM in cycloneDX format in tutorial #3784

Open
atomic-kanta-sasaki opened this issue May 21, 2024 · 6 comments
Open

Cannot output SBOM in cycloneDX format in tutorial #3784

atomic-kanta-sasaki opened this issue May 21, 2024 · 6 comments
Labels
bug

Comments

@atomic-kanta-sasaki
Copy link

Description

Tutorials are provided.
The command as in the tutorial outputs SBOM, but if I set output to --cyclonedx, it does not output the correct SBOM.

How To Reproduce

tutorial command
./scancode -clpeui -n 2 --ignore "*.java" --json-pp sample.json samples

Commands I have executed
./scancode -clpeui -n 2 --ignore "*.java" --cyclonedx sample.json samples

output

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:1a1b4416-ac60-4192-8743-e5297669c340",
  "version": 1,
  "metadata": {
    "timestamp": "2024-05-21T09:53:32Z",
    "tools": [
      {
        "vendor": "AboutCode.org",
        "name": "scancode-toolkit",
        "version": "32.1.0"
      }
    ],
    "properties": [
      {
        "name": "notice",
        "value": "Generated with ScanCode and provided on an \"AS IS\" BASIS, WITHOUT WARRANTIES\nOR CONDITIONS OF ANY KIND, either express or implied. No content created from\nScanCode should be considered or used as legal advice. Consult an Attorney\nfor any legal advice.\nScanCode is a free software code scanning tool from nexB Inc. and others.\nVisit https://github.com/nexB/scancode-toolkit/ for support and download."
      },
      {
        "name": "errors",
        "value": []
      },
      {
        "name": "warnings",
        "value": []
      },
      {
        "name": "message",
        "value": null
      },
      {
        "name": "system_environment",
        "value": {
          "operating_system": "linux",
          "cpu_architecture": "64",
          "platform": "Linux-5.15.146.1-microsoft-standard-WSL2-x86_64-with-glibc2.35",
          "platform_version": "#1 SMP Thu Jan 11 04:09:03 UTC 2024",
          "python_version": "3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]"
        }
      },
      {
        "name": "spdx_license_list_version",
        "value": "3.23"
      }
    ]
  },
  "components": [],
  "dependencies": []
}

this output do not write scan result.
And I need the Schema property and it is not included in the json file above.
If you already have a solution to these problems, please let me know.### System configuration.
Thank you!

For bug reports, it really helps us to know:

  • What OS are you running on? (Windows/MacOS/Linux)
    wsl2 ubuntu
  • What version of scancode-toolkit was used to generate the scan file?
    version v32.1.0
  • What installation method was used to install/run scancode? (pip/source download/other)
    source download
@pombredanne
Copy link
Member

pombredanne commented May 21, 2024
edited
Loading

@atomic-kanta-sasaki Thank you for the report! Sorry if this looks weird indeed.
There are several issues:

  1. We need to upgrade to newer versions of CycloneDX. 1.3 is an old version. ScanCode.io already dropped support for 1.3 and supports 1.4, 1.5 and 1.6
  2. CycloneDX is a format centered on packages and not files. Here the samples/ directory only only files and no package manifests. These samples are not great and we should provide better samples. We have registered extra CycloneDX properties to track files at https://github.com/CycloneDX/cyclonedx-property-taxonomy?tab=readme-ov-file#registered-top-level-namespaces but we did not integrate this yet here.

You also wrote:

And I need the Schema property and it is not included in the json file above.

Can you tell where I could find this? I could not find such property in the https://github.com/CycloneDX/specification/blob/master/schema/bom-1.3.schema.json schema.
If you meant this https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.schema.json#L14 ... this did not exist (yet) in version 1.3

Here are some concrete follow up actions:

@atomic-kanta-sasaki
Copy link
Author

atomic-kanta-sasaki commented May 21, 2024
edited
Loading

@pombredanne

Thanks for the reply.

https://scancode-toolkit.readthedocs.io/en/latest/index.html
I don't see how to upgrade CycloneDX in this document.

If it's all in one document, please let me know where to find it.

I use scancode-toolkit version is v32.1.0.

@pombredanne pombredanne mentioned this issue May 21, 2024
Open
@pombredanne
Copy link
Member

@atomic-kanta-sasaki I updated the comment in #3784 (comment) ... sorry if this was not clear: these are not actions you can take, but rather these are bugs and issues we need to fix in ScanCode. You are welcomed to help if you fancy it!

In the meantime you may to try ScanCode.io https://github.com/nexB/scancode.io/ ?

@ka-sasaki-sti
Copy link

@pombredanne
I have already confirmed that I can use ScanCode.io to create SBOMs.
Thanks for presenting the information!
I will help you if I can be of any help regarding the development.
TThank you!

@pombredanne
Copy link
Member

I have already confirmed that I can use ScanCode.io to create SBOMs.
great.

I will help you if I can be of any help regarding the development.
You will be much welcomed.

@wujunhuge
Copy link

I have a similar issue. Is there a good solution to using Scancode to generate a bill of materials that does not include components or licenses

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pombredanne @atomic-kanta-sasaki @ka-sasaki-sti @wujunhuge