Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
`merge`-d polyglot SBOM loses dependency graph information
See original GitHub issueProblem overview
CycloneDX tools vary in their support for dependency graph information. For example, cyclonedx-dotnet@0.19.0 supports it, while cyclonedx-node-module does not due to https://github.com/CycloneDX/cyclonedx-node-module/issues/61.
When merging SBOMs in a polyglot project, such that one or more SBOMs have dependency graph information, the output should ideally preserve that, but it currently does not.
To demonstrate this, two projects will be created: one .NET (dependency graph supported) and one NPM (no dependency graph). Their SBOMs, when uploaded individually to Dependency Track, correctly reflect the dependency graph information, if present.
The two SBOMs are then merge-d and the output uploaded. The expectation is that the merged SBOM preserves the input files’ dependency graph information, whereas it currently seems to be lost.
Steps to reproduce
Create a simple .NET project and collect its SBOM:
> dotnet --version
5.0.401
> dotnet cyclonedx --version
2.1.2.0
> mkdir src\csharp && pushd src\csharp
src\csharp> dotnet new console
The template "Console Application" was created successfully.
src\csharp> dotnet add package Serilog.Sinks.File
info : PackageReference for package 'Serilog.Sinks.File' version '5.0.0' added to file 'src\csharp\csharp.csproj'.
info : Writing assets file to disk. Path: src\csharp\obj\project.assets.json
log : Restored src\csharp\csharp.csproj (in 67 ms).
src\csharp> dotnet cyclonedx -ns -dgl -o .. csharp.csproj
» Analyzing: src\csharp\csharp.csproj
Attempting to restore packages
Retrieving Serilog 2.10.0
Retrieving Serilog.Sinks.File 5.0.0
Creating CycloneDX BOM
Writing to: src\bom.xml
Upload src\bom.xml to Dependency Track v4.3.6, confirming that the dependency graph information of the .NET project is present, as expected:
Next, create a simple NPM project and collect its SBOM:
> npm --version
8.0.0
> cyclonedx-bom --version
3.1.1
> mkdir src\js && pushd src\js
src\js> npm init -y
Wrote to src\js\package.json
src\js> npm install jquery --save-dev
added 1 package, and audited 2 packages in 1s
found 0 vulnerabilities
src\js> cyclonedx-bom -ns -d -o ..\bom-js.xml .
Upload src\bom-js.xml to Dependency Track; no dependency graph information is present, and this is expected per https://github.com/CycloneDX/cyclonedx-node-module/issues/61:
Finally, merge the individual files into a polyglot SBOM:
> cyclonedx-win-x64 --version
0.19.0
> cyclonedx-win-x64 merge --input-files src\bom.xml src\bom-js.xml --output-file src\bom-polyglot.xml
Processing input file src\bom.xml
Contains 2 components
Processing input file src\bom-js.xml
Contains 1 components
Writing output file...
Total 3 components
Upload src\bom-polyglot.xml to Dependency Track.
Expected results
The dependency graph information present in the input files (e.g. src\bom.xml) is preserved in a merge-d polyglot SBOM.
Observed results
Three components are present (as expected), however the dependency graph information is lost:
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:14 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
OK, seems like you got much futher. I’ll try and follow your steps to see if I can make it work.
Did not check about “full”, but randomly clicked open at least half a dozen levels.
“So all for the loss of one horse-shoe nail…”