microsoft / sbom-tool Goto Github PK
View Code? Open in Web Editor NEWThe SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
License: MIT License
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
License: MIT License
Encountered error while running ManifestTool generation workflow. Error: The SBOM format 'SPDX:2.2' is not supported by the SBOM tool.
Same error for Ubuntu 22.04 LTS and Debian 11
it would be pretty convenient to be able to install the binaries with dotnet tool install sbom-tool
and run it as dotnet tool run sbom-tool
.
this would let us declare all the project tool dependencies in the .config/dotnet-tool.json
file and restore them all with dotnet tool restore
.
I execute this command on Windows (doesn't matter if I use cmd or PowerShell):
C:\Temp\sbom-tool.exe generate -b "C:\src\core\Build\Service with spaces" -bc "C:\src\core\Solutions\service with spaces\src\" -pn "Foo bar services" -pv "1.0.0.0" -nsb "https://example.com"
The tool runs and creates a manifest, however no depedencies are found.
Program output:
[INFO] Log file: C:\Users\username\AppData\Local\Temp\GovCompDisc_Log_20220722135038.log
[INFO] Run correlation id: 77b85f03-caa7-47b4-bc71-94e9e4b003c1
[INFO] Attempting to load default detectors
[INFO] 19 detectors were found in Microsoft.ComponentDetection.Detectors
[WARN] Provided search path C:\Users\username\AppData\Local\Temp\.net\sbom-tool\lpvnvva1.mst\Plugins does not exist.
[INFO] Finding components...
[INFO] No instructions received to scan docker images.
[ERROR] Root directory doesn't exist: C:\src\core\Solutions\service
If I run the tool on a directory without spaces, everything works fine.
Executing sbom-tool generate -ManifestDirPath _manifest
creates an unexpected _manifest
nested sub-directory:
Just to clarify, although this is written in the documentation, I think its not the expected behaviour:
ManifestDirPath (-m) The path of the directory where the generated SBOM files will be
placed. A folder named '_manifest' will be created at this location,
where all generated SBOMs will be placed. If this parameter is not
specified, the files will be placed in {BuildDropPath}/_manifest
directory.
If this is working as expected (I hope not, because creating an hardcoded directory is really odd when you can specify it in an argument), I think the last paragraph should be modified to be a bit more clear. Something like:
If this parameter is not specified, the directory will be create inside the {BuildDropPath} directory.
I've only just started tinkering with the tool, so I may be missing something important.
The tool fails to find a pom.xml
file in the directory that I specify as the BuildComponentPath
, nor any of the other pom.xml
files in nested directories. It does find two package-lock.json
and one yarn.lock
file nested in the build component path hierarchy.
Is some additional configuration required for Maven support? Am I missing something important?
Hi!
I would like to ask for help to understand how the sbom-tool
works for Rust code. We in the Kubewarden team are evaluating to use sbom-tool
to generate the SPDX file for the Rust component of the Kubewarden stack. But we are seeing some results that seems to be incomplete. When we run the sbom-tool
in the Policy Server repository, the tool generate the SPDX file with all the files under the build directory. Which does not seem a problem, but it misses all the dependencies defined in the Cargo.toml
file. In other words, the SPDX file does not have the relationships between the packages define in the cargo file. Is this expected ? Is the cargo/Rust support production ready?
This is an example of the command that I use to create the file:
$ sbom-tool generate -b ./target -bc . -pn kubewarden -pv 1.0.0 -nsb https://kubewarden.io -V Verbose -ps Kubewarden
Let's check some info in the SPDX file:
$ jq ".packages[] | .name" _manifest/spdx_2.2/manifest.spdx.json
"winapi-x86_64-pc-windows-gnu"
"instant"
"cfg-if"
"remove_dir_all"
"tempfile"
"winapi"
"bitflags"
"redox_syscall"
"fastrand"
"libc"
"winapi-i686-pc-windows-gnu"
"policy-server"
$ jq ".packages | length " _manifest/spdx_2.2/manifest.spdx.json
12
$ jq ".relationships | length " _manifest/spdx_2.2/manifest.spdx.json
12
$ jq -r ".relationships[] | .relatedSpdxElement" _manifest/spdx_2.2/manifest.spdx.json >> out; jq -r ".packages[] | .SPDXID" _manifest/spdx_2.2/manifest.spdx.json >> out
$cat out | sort -u
SPDXRef-Package-09E888C0DD94AE60E61C26BDCB42496CCE2C353B04EDC32010BAE39CD9C281D0
SPDXRef-Package-103DDECE1CB10C10E2689F436AB7787B75BC4D108C139C4A187F13A49F631E8A
SPDXRef-Package-189578355B371E85A4B08774D0CFD32BD36B61165FA6BBEDA3B80BE76024EA8D
SPDXRef-Package-23A31416C710E2C36870C6DA198442A1B9E87AA1DEE5C764218A5ADA6ACAB955
SPDXRef-Package-2C0BE3A4473BFBE36158A982CB7D03CB69186272843FCC7EED4A98767B0B0484
SPDXRef-Package-3A6F59C021FD50CA792745B5BA96467074206C03916D0BCFC926087D1D49F587
SPDXRef-Package-860B0BD399A74F569916FC6D2B12313E84843DAD430BC3A7AF88A11F42210381
SPDXRef-Package-8D53CF339C6C5356F4655FAB5ED74736CCEAA7FE34FFF98F2C6F3DF3F627A96E
SPDXRef-Package-9D986058A09E0CC43BCCF23FE973D1CEB4F7AFC28E67A6FA8D2453F4264AA058
SPDXRef-Package-CD84440B5868C5522882D227E2DA16FEF386CAF7BAE037A976DE512D23092501
SPDXRef-Package-EE5CCD784D9C04F2C86943E03620B4A4D9A902C21981F66C64F63115130F6439
SPDXRef-RootPackage
$ cat out | sort -u | wc -l
12
None of the dependencies defined in the Cargo.toml
are defined in the SPDX file. Am I missing something?
I'm using a Windows 11 machine. I've downloaded the installer executable from the Releases section and run it after going over the security dialogue.
The console applications close almost instantly and I can't find any 'generate' command.
It would be an excellent feature to add a flag, maybe -generate-webpage
that would include an HTML page that is directly connected to the json file path at the same root.
Similar to how you can generate a webpage with MSIX's .appinstaller. As a simple example:
<html>
<head>
<meta charset="utf-8"/>
<title>SBOM</title>
<link rel="stylesheet" href="https://kendo.cdn.telerik.com/2022.2.621/styles/kendo.default-v2.min.css"/>
<script src="https://code.jquery.com/jquery-1.12.4.min.js"></script>
<script src="https://kendo.cdn.telerik.com/2022.2.621/js/kendo.all.min.js"></script>
</head>
<body>
<div id="files-grid"></div>
<div id="packages-grid"></div>
<script>
$(function() {
var files = [];
var packages = [];
// THIS LOADS THE JSON INTO AN EASY TO READ DATAGRID
$.getJSON('/manifest.spdx.json', function(data) {
$.each(data.files, function(i, f) {
files.push(f);
});
$.each(data.packages, function(i, p) {
packages.push(p);
});
});
$("#files-grid").kendoGrid({
height: "400px",
columns: [
{ field: "SPDXID", title: "SPDX ID" },
{ field: "fileName", title: "File Name" }
],
filterable: true,
editable: false,
dataSource: {
data: files,
schema: {
model: {
id: "SPDXID",
fields: {
SPDXID: { type: "string", editable: false },
fileName: { type: "string", editable: false }
}
}
}
}
});
$("#packages-grid").kendoGrid({
height: "400px",
columns: [
{ field: "SPDXID", title: "SPDX ID" },
{ field: "name", title: "Package" },
{ field: "versionInfo", title: "Version" }
],
filterable: true,
editable: false,
dataSource: {
data: packages,
schema: {
model: {
id: "SPDXID",
fields: {
SPDXID: { type: "string", editable: false },
name: { type: "string", editable: false },
versionInfo: { type: "string", editable: false }
}
}
}
}
});
});
</script>
</body>
</html>
Hello,
I'm currently trying to see how we can use the sbom tool for our different software development platforms that use .netcore as well as python heavily.
I was trying to use the tool with a python projects that pulls in modules from a private pypi repository. Unfortunately the tool does not seem to recognise neither the PIP_CONFIG_FILE nor the PIP_EXTRA_INDEX_URLS.
Is there a way to use private repositories as well? I did not find anything within the docs.
Thanks
I am using a Mac M1 and When I start sbom-tool, I've got an error message telling that shared library MonoPosixHelpers is not found.
MacOS version is 12.5.1
We have a requirement for the integration of a Vendor assessment questionnaire or Vendor management. Is there any option in sbom tool for this purpose?
When trying to run salus on a go project and after Scan Manifest file
I get the mentioned error. I tried with one of my own and another open source project, both fail.
I attach the scan files for you, just in case you need them to give me a hint
Thanks for looking into this
ScanManifest_20220714111446.txt
ScanManifest_20220714110630.txt
.
Trying to use this tooling (linux binary) in WSL.
I've curl
ed the link from the releases page:
curl -Lo salus https://github.com/microsoft/sbom-tool/releases/download/v0.1.2/sbom-tool-linux-x64
chmod +x salus
mv salus /usr/local/bin
So far anything I attempt to run results in /usr/local/bin/salus: 1: Not: not found
, even commands like salus -h
. Specifying verbosity doesn't change the outcome.
Any pointers?
When attempting to generate sbom for a binary drop from a file server, I often have to make multiple attempts before I can successfully generate an sbom. This leads to building a lot of infrastructure in a lot of places to support what is perceived as a "flaky" tool. Additionally, we have to make different design decisions when we cannot reliably generate an SBOM from a (secured) network share and must instead ensure that all sbom generation is done against local binaries. This is particularly true on larger drops.
##[debug]Starting SBOM generation workflow.
##[debug]Using the FileListBasedFileToJsonProvider provider for the files workflow.
##[debug]Enumerating all files from listFile.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[error]Encountered an error while generating hash for file \\cpvsbuild\drops\drop\setup\boxs\amd64ret\kor\netfx\fulllp\netfx_fulllp.mzz: The network path was not found. : '\\cpvsbuild\drops\drop1\raw\09037.00\setup\boxs\amd64ret\kor\netfx\fulllp\netfx_fulllp.mzz'
##[error]Encountered an error while generating hash for file \\cpvsbuild\drops\drop\raw\09037.00\setup\boxs\amd64ret\ptb\netfx\fulllp\netfx_fulllp.mzz: The network path was not found. : '\\cpvsbuild\drops\drop\raw\09037.00\setup\boxs\amd64ret\ptb\netfx\fulllp\netfx_fulllp.mzz'
Adding wait / retries to file access calls would improve the reliability and ease adoption of this tool.
M1 Mac running Monterey (Mac OS 12.4).
Installed .NET. (https://docs.microsoft.com/en-us/dotnet/core/install/macos).
Set environment (DOTNET_ROOT).
Proved .NET installation works by creating 'hello world'. (https://docs.microsoft.com/en-us/dotnet/core/get-started)
Clone sbom-tool. cd into sbom-tool.
Attempt dotnet build. Fails on SDK mismatch, but helpfully tells me to update global.json.
Updated to global.json sdk version to 6.0.302 which is current .NET install for Mac.
Attempt dotnet build. Hit collection of NU1301 errors for a failed build.
A quick search of NU1301 (https://docs.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1301) suggests I 'contact the source owner' or try 'removing source that might not be needed.'
As I don't know the source I'm not about to try removing source files.
Rest of the report is the build output:
$ dotnet build
Microsoft (R) Build Engine version 17.2.0+41abc5629 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.
Determining projects to restore...
The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Adapters/Microsoft.Sbom.Adapters.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Common/Microsoft.Sbom.Common.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Microsoft.Sbom.Parsers.Spdx22SbomParser.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Extensions/Microsoft.Sbom.Extensions.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Contracts/Microsoft.Sbom.Contracts.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Contracts/Microsoft.Sbom.Contracts.csproj (in 393 ms).
The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Extensions/Microsoft.Sbom.Extensions.csproj (in 451 ms).
The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Microsoft.Sbom.Parsers.Spdx22SbomParser.csproj (in 451 ms).
Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Adapters/Microsoft.Sbom.Adapters.csproj (in 470 ms).
Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Common/Microsoft.Sbom.Common.csproj (in 581 ms).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 46BD96B6-F24E-4F0B-89B2-1A7063459E16)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F689-970D-431E-9CB6-887C3CD827C8)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F75E-970D-431E-9CB6-887C3CD827C8)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230EAD-1C06-4EED-B0EC-B0905F5B19DD)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F742-970D-431E-9CB6-887C3CD827C8)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E91-1C06-4EED-B0EC-B0905F5B19DD)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E98-1C06-4EED-B0EC-B0905F5B19DD)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F739-970D-431E-9CB6-887C3CD827C8)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F733-970D-431E-9CB6-887C3CD827C8)).
Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E8D-1C06-4EED-B0EC-B0905F5B19DD)).
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj (in 13.72 sec).
Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj (in 13.72 sec).
Failed to restore /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj (in 13.27 sec).
Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj (in 13.31 sec).
Failed to restore /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj (in 13.72 sec).
Build FAILED.
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
0 Warning(s)
10 Error(s)
Time Elapsed 00:00:15.46
In two sample CI pipelines, one using Azure DevOps and one using GitHub Actions (both linux agents), I've so far found that salus -h
hangs indefinitely until the task/step is canceled by the pipeline or a user (up to 60 min on AzDO, 20 min on GH - just hitting standard pipeline timeouts), but a properly parameter-supplied salus generate
command can run fine.
Both systems have logging output of:
scripts/salus-install.sh: line 22: 1660 Killed salus -h
and report exit code 137.
While I've had unrelated (I think) issues running Salus locally, running salus -h
in an Azure Cloud Shell session works fine and returns promptly, so the error is not solely with the command.
Create a GitHub Action to install and/or run the SBOM tool.
This doesn't need to be overly complex, and I would look to examples like sigstore/cosign-installer which has achieved this with a Bash script (No TypeScript/JavaScript required!)
I'm feeling dumb, but it seems like the instructions say to install a nugget package without explaining what the package is for or how to use it.
When I run the tool a second time, I get this error message:
$ ./sbom-tool-linux-x64 generate [...]
##[error]Encountered an error while generating the manifest.
##[error]Error details: Unable to create manifest directory at path ./_manifest. Error: The BuildDropRoot folder already contains a _manifest folder. Please delete this folder before running the generation or set the DeleteManifestDirIfPresent environment variable to 'true' to overwrite this folder.
The DeleteManifestDirIfPresent
environment variable is not set, but it deletes the folder anyway.
I've tested it after setting DeleteManifestDirIfPresent
as described and it works as expected.
Make any chnages in the IConfiguration.cs file, and that will trigger the gendocs build, however the build currently hangs without showing any error.
Running locally on Ubuntu, the build fails with this error, the package is already present in the feed:
/usr/share/dotnet/sdk/3.1.420/Sdks/Microsoft.NET.Sdk/targets/Microsoft.PackageDependencyResolution.targets(241,5): error NETSDK1064: Package Microsoft.CodeAnalysis.VersionCheckAnalyzer, version 3.3.0 was not found. It might have been deleted since NuGet restore. Otherwise, NuGet restore might have only partially completed, which might have been due to maximum path length restrictions.
[INFO] Scan Manifest file: /tmp/ScanManifest_20220809093029.json
##[debug]Using the DirectoryTraversingFileToJsonProvider provider for the files workflow.
##[debug]Enumerating files under the root path xxx/frontend.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the CGScannedPackagesProvider provider for the packages workflow.
##[debug]Scanning for packages under the root path xxx/frontend/.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using cached CD scan result for the call with the same arguments
##[debug]Encountered an error while generating json for packageInfo : Value cannot be null. (Parameter 'packageInfo')
when I use the sbom tool to scan node related docker image, I encountered this problem. It seems to be a pares error. How should I fix it? BTW, the command is below:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .
Hey there,
I am working on generating an SBOM for a GitHub Action that sets up this SBOM-Tool in a convenient way (see: https://github.com/philips-software/sbom-tool-installer-action). After generating the SBOM, I noticed that the supplier field of the RootPackage
is set to Organization: Microsoft
, which seems incorrect.
There should be a parameter to control this value.
I uploaded the SBOM as a Gist. Please have a look here:
https://gist.github.com/Brend-Smits/90b62120de7abc989c2768c92a2a49c8#file-sbom-tool-installer-action-sbom-L10757-L10772
Command 1 : sudo dotnet run -p sbom-tool/src/Microsoft.Sbom.Tool generate -b builddrop -bc my-npm-repo-folder -pn NPM -nsb "https://mycompany.com"
What I expect: generator should automatically pic the package name and package version from my folder/project/repo
What is happening: ##[error]Encountered an error while generating the manifest.
##[error]Error details: Unable to generate a package version based on provided parameters. Please provide the package version in the 'PackageVersion' parameter.
Command 2: sudo dotnet run -p sbom-tool/src/Microsoft.Sbom.Tool generate -b builddrop -bc my-npm-repo-folder -pn NpmWithRoots -pv 1.0 -nsb "https://mycompany.com"
Error message: Required argument missing for option: --verbosity
Can you please elaborate the usage of -pv and -pn ? It will be helpful if you give us an example.
ENV: Ubuntu-20.04
Encountered error while running ManifestTool generation workflow. Error: Unable to load shared library 'MonoPosixHelper' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libMonoPosixHelper: cannot open shared object file: No such file or directory
The same environment, when I used sbom-tool v0.1.13 to scan source code, it can generate sbom file correctly. But, it encountered the error above when I use sbom-tool v0.2.0. How to fix it? The command is as follows:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .
Add a timeout while calling the CD code so that we don't spend more than 6 minutes running their code and to prevent any hangs.
Hi,
I'm in the process of testing whether sbom-tool
could satisfy our requirements for auto-generating sboms during pipeline executions. I've tried on several internal projects and consistently find that the generated sbom yields NOASSERTION
on license information.
Example requirements.txt
file:
graphviz
PyYAML
Jinja2
Cerberus
Yields:
{
"files": [],
"packages": [
{
"name": "MarkupSafe",
"SPDXID": "SPDXRef-Package-A3EF6C57C1136846E9D7C7A38506BE704CC0BB74D7E00D4E1CAB1750FF8DA78D",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "2.1.1",
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:pypi/markupsafe%402.1.1"
}
],
"supplier": "NOASSERTION"
},
{
"name": "Cerberus",
"SPDXID": "SPDXRef-Package-321281AF12101511BB74C614AB9A7F87091E83CA804C4E0E31478B33D5C422FE",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "1.3.4",
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:pypi/cerberus%401.3.4"
}
],
"supplier": "NOASSERTION"
},
{
"name": "graphviz",
"SPDXID": "SPDXRef-Package-08DDAAAC542BB734BA5B8613D10207BC5FBA8E3A7A15548EB9D52744ED03EA7C",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "0.20.1",
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:pypi/graphviz%400.20.1"
}
],
"supplier": "NOASSERTION"
},
...
I'm unsure whether I'm doing something incorrectly here. The sbom is generated by the following pipeline step:
...
- script: |
curl -Lo $(Agent.TempDirectory)/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
chmod +x $(Agent.TempDirectory)/sbom-tool
$(Agent.TempDirectory)/sbom-tool generate -b $(Build.ArtifactStagingDirectory) -bc $(System.DefaultWorkingDirectory) -pn projectname -V Verbose -nsb https://some.url.here.noexist -pv $(versionNumber)
displayName: Generate SBOM
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'drop'
publishLocation: 'Container'
I want to generate SBOM for a docker image, but the command line requires multiple parameters according to this sample, which looks complicated. Is there a simple way to generate SBOM for a docker image like Docker Sbom?
Would be nice to be able to verify that releases of sbom-tool
are build by CI by using e.g sigstore to sign binaries
After Dec 3 2022 .NET 3.1 will no longer be supported or patched.
Related to microsoft/component-detection#107
Using the spdx online tool to verify the generated spdx file has a warning
The referencecategory should be PACKAGE-MANAGER instead of PACKAGE_MANAGER.
When doing a package restore, I see a lot of 401 responses from some package source that's in use.
Any idea what I should do to be able to compile this?
C:\Program Files\dotnet\sdk\3.1.421\NuGet.targets(128,5): error : Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C792FB8-970D-431E-9CB6-887C3CD827C8)). [REDACTED\microsoft\sbom-tool\Microsoft.Sbom.sln]
Using the v0.1.2 release binaries, this happens equally on macOS (12.4) and Debian x86 (10.10):
##[error]Encountered an error while generating the manifest.
##[error]Error details: Object reference not set to an instance of an object.
When I give the -m option, a .json file stays around which is incomplete.
It happens with all node / vue projects I tried and also on an Xcode project.
I can reproduce it on a freshly created directory where just "npm init" has been run:
bkr@home package-test % cat package.json
{
"name": "test",
"version": "1.0.0",
"description": "Some Test",
"main": "index.js",
"scripts": {
"test": "echo "Error: no test specified" && exit 1"
},
"author": "",
"license": "ISC"
}
bkr@home package-test % mkdir mani ; ~/Downloads/sbom-tool-osx-x64 generate -b $PWD -pn test -pv 1.0.0 -V Verbose -m mani
##[debug]Starting SBOM generation workflow.
##[debug]Using the CGScannedExternalDocumentReferenceFileProvider provider for the files workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the DirectoryTraversingFileToJsonProvider provider for the files workflow.
##[debug]Enumerating files under the root path /home/bkr/package-test.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the CGScannedPackagesProvider provider for the packages workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Wrote 0 package elements in the SBOM.
##[debug]Found value for header PackageName in internal metadata.
##[debug]Found value for header PackageVersion in internal metadata.
##[debug]Using the CGExternalDocumentReferenceProvider provider for the external documents workflow.
##[debug]Using the CGExternalDocumentReferenceProvider provider for the external documents workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Wrote 1 relationship elements in the SBOM.
##[debug]Building the header object.
##[debug]Found value for header SBOMToolName in internal metadata.
##[debug]Found value for header SBOMToolVersion in internal metadata.
##[debug]Found value for header PackageName in internal metadata.
##[debug]Found value for header PackageVersion in internal metadata.
##[error]Encountered an error while generating the manifest.
##[error]Error details: Object reference not set to an instance of an object.
##[information]Finished execution of the Generate workflow SBOMTelemetry {Result=Failure, Errors=ErrorContainer1 {Count=0, Errors=[]}, Parameters=Configuration {BuildDropPath=ConfigurationSetting
1 {Value="/home/bkr/package-test", Source=CommandLine, IsDefaultSource=False}, BuildComponentPath=null, BuildListFile=null, ManifestPath=null, ManifestDirPath=ConfigurationSetting1 {Value="mani/_manifest", Source=CommandLine, IsDefaultSource=False}, OutputPath=null, Parallelism=ConfigurationSetting
1 {Value=8, Source=Default, IsDefaultSource=True}, Verbosity=ConfigurationSetting1 {Value=Verbose, Source=CommandLine, IsDefaultSource=False}, ConfigFilePath=null, ManifestInfo=ConfigurationSetting
1 {Value=null, Source=Default, IsDefaultSource=True}, HashAlgorithm=ConfigurationSetting1 {Value=AlgorithmName {Name="SHA256"}, Source=Default, IsDefaultSource=True}, RootPathFilter=null, CatalogFilePath=null, ValidateSignature=ConfigurationSetting
1 {Value=False, Source=Default, IsDefaultSource=True}, IgnoreMissing=ConfigurationSetting1 {Value=False, Source=Default, IsDefaultSource=True}, ManifestToolAction=Generate, PackageName=ConfigurationSetting
1 {Value="test", Source=CommandLine, IsDefaultSource=False}, PackageVersion=ConfigurationSetting1 {Value="1.0.0", Source=CommandLine, IsDefaultSource=False}, FilesList=null, PackagesList=null, TelemetryFilePath=null, DockerImagesToScan=null, ExternalDocumentReferenceListFile=null, AdditionalComponentDetectorArgs=null, NamespaceUriUniquePart=null, NamespaceUriBase=null, GenerationTimestamp=null, FollowSymlinks=ConfigurationSetting
1 {Value=True, Source=Default, IsDefaultSource=True}}, SBOMFormatsUsed=[SBOMFile {SbomFormatName=ManifestInfo {Name="SPDX", Version="2.2"}, SbomFilePath="mani/_manifest/spdx_2.2/manifest.spdx.json", FileSizeInBytes=1445}], Timings=[Timing {EventName="Metadata build time for SPDX:2.2 format", TimeSpan="00:00:00.0034268"}, Timing {EventName="Relationships generation time", TimeSpan="00:00:00.0138172"}, Timing {EventName="External document reference generation time", TimeSpan="00:00:00.0063242"}, Timing {EventName="Packages generation time", TimeSpan="00:00:00.0175062"}, Timing {EventName="Files generation time", TimeSpan="00:00:00.1520830"}, Timing {EventName="Total generation time", TimeSpan="00:00:00.2799799"}], Switches={}, Exceptions={["System.NullReferenceException"]="Object reference not set to an instance of an object."}}
bkr@home package-test % cat mani/_manifest/spdx_2.2/manifest.spdx.json
{
"files": [
{
"fileName": "./package.json",
"SPDXID": "SPDXRef-File--package.json-65B7CCBBCE5B9E193BA5FA98FDCDB66375B702F3",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "2e1036c9cd8992fb4e5c98e0a11e75bd5d16b396fafb84629c2e1fdad048c072"
},
{
"algorithm": "SHA1",
"checksumValue": "65b7ccbbce5b9e193ba5fa98fdcdb66375b702f3"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}
],
"packages": [
{
"name": "test",
"SPDXID": "SPDXRef-RootPackage",
"downloadLocation": "NOASSERTION",
"packageVerificationCode": {
"packageVerificationCodeValue": "beb0b63fa2f5923950df28ab8bfc17eef01af2a2"
},
"filesAnalyzed": true,
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "1.0.0",
"supplier": "Organization: Microsoft",
"hasFiles": [
"SPDXRef-File--package.json-65B7CCBBCE5B9E193BA5FA98FDCDB66375B702F3"
]
}
],
"externalDocumentRefs": [],
"relationships": [
{
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-RootPackage",
"spdxElementId": "SPDXRef-DOCUMENT"
}
]%
bkr@home package-test % jq . mani/_manifest/spdx_2.2/manifest.spdx.json
parse error: Unfinished JSON term at EOF at line 52, column 3
Is there a way to filter out dependencies? In my case I want to include only production dependencies and opt out dev/stage dependencies. Is that a possible option? I believe by default Microsoft SBOM generator will capture all dependencies and generate BOM.
The name "Salus" is already an established security tool, which among other things generates CycloneDX SBOMs from dependency manifests. Salus is a project from Coinbase, and has been listed on the CycloneDX Tool Center for quite some time now.
https://github.com/coinbase/salus
Microsoft Salus creates confusion in the market and should be renamed.
Hey there,
I am working on generating an SBOM for a GitHub Action that sets up this SBOM-Tool in a convenient way (see: https://github.com/philips-software/sbom-tool-installer-action). After generating the SBOM, I noticed that the license field of the RootPackage
is set to NOASSERTION
. This might be intended as this feature might not be implemented yet. However, I would really appreciate at least a parameter to set the LICENSE of the RootPackage. In the case of the installer-action, the license is actually set properly within GitHub and the package.json
I uploaded the SBOM as a Gist. Please have a look here:
https://gist.github.com/Brend-Smits/90b62120de7abc989c2768c92a2a49c8#file-sbom-tool-installer-action-sbom-L10757-L10772
As I found sbom-tool using component-detection to scan for components and dependencies, which support both requirements.txt and poetry.lock. But when I scanned the project with poetry.lock, it didn't work, regardless of scanning image or source code. It can generate sbom file correctly when I change poetry.lock to requirement.txt. What's the problem? The commands is as follows:
For source code:
salus Generate -b ./test -bc ./test -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .
For docker image:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .
Hiya,
I'm running the tool with -V Error
and still getting output tagged [INFO]
.
My guess is that you're missing an [ArgShortcut("V")]
attribute from CommonArgs.cs?
sbom-tool is able to generate sbom for C/C++ projects if it is using cmake
The generated SBOM includes information from the .git
folder. Likewise, it would be good to have it ignore the contents of NPM node_modules
directories and Maven /target/
directories.
AFAICT, there's no option to exclude these directories from the results.
One option would be to have the tool honour the ignore list specified in .gitignore
files.
Note that a .gitignore
file itself is a maintained artifact that IMHO should be included in the SBOM.
On Linux I get the following error message.
OS: Fedora 36
ARch: x86_64
winsbom generate -b .
No usable version of libssl was found
Aborted (core dumped)
[INFO] ScanLinuxAsync logged InvalidOperationException: cannot hijack chunked or content length stream
[WARN] Scanning of image sha256:xxxxxxxxxxxxx failed with exception: cannot hijack chunked or content length stream
I encountered the problem above when I scan docker images. How to fix this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.