sbom merged with cyclonedx-cli does not get imported
See original GitHub issueCurrent Behavior:
After merging several bom.xml into a sbom.xml with cyclonedx-cli, Dependency Track seems to not process it. I get no errors when uploading it and nothing really happens. If instead I upload separately the bom.xml that I merged they get processed.
Steps to Reproduce:
Merge the bom.xml files into one:
docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli merge --input-format xml --input-files /tmp/bom_1.xml /tmp/bom_2.xml --output-file /tmp/bom_merged.xml
Upload the file into Dependecy Track project.
Expected Behavior:
Components and dependecies to be recognized.
Environment:
- Dependency-Track Version: v4.3.6
- Distribution: Docker
- BOM Format & Version: XML format, CycloneDX Maven plugin v2.5.3
- Database Server: PostgreSQL
- Browser: Firefox
Additional Details:
None
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
CycloneDX Tool Center
A free online service that generates SBOM and SaaSBOM directly from executable code. Vulnerability and license information are also analyzed using generated ...
Read more >Importing CycloneDX BoM into Dependency-Track - YouTube
Your browser can't play this video. ... CycloneDX is a lightweight BoM specification designed for use in application security contexts and ...
Read more >@appthreat/cdxgen - npm
Creates CycloneDX Software Bill-of-Materials (SBOM) from source or ... There are no other projects in the npm registry using @appthreat/cdxgen.
Read more >5 tools for generating SBOM - Which is the best tool?
But you must remember to enable CycloneDX for each language in your software (which can require a bit of work). However, if you...
Read more >Tweets with replies by CycloneDX SBOM Spec (OWASP ...
OWASP CycloneDX is a modern standard for the software supply chain. ... We do not support merging right now, but v4.7 (to be...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I did the validation/analyze with CycloneDX CLI and this is the result:
# docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli analyze --input-file /tmp/bom_merged.xml
Analysis results: BOM Version: 1# docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli validate --input-file /tmp/bom_merged.xml
Validating XML BOM… BOM validated successfully.I will try checking the logs or if nothing shows up I will try to set up a dev env for testing.
Thanks
You may be running into https://github.com/DependencyTrack/dependency-track/issues/1214, due to recent
cyclonedx-cli
versions writing merged output with a UTF-8 BOM (byte-order-mark), which DT v4.3.6 rejects as invalid on upload.Due to this mismatch, validating the file with
cyclonedx-cli
may not flag the issue, but the upload will not be accepted.