Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

sbom merged with cyclonedx-cli does not get imported

See original GitHub issue

Current Behavior:

After merging several bom.xml into a sbom.xml with cyclonedx-cli, Dependency Track seems to not process it. I get no errors when uploading it and nothing really happens. If instead I upload separately the bom.xml that I merged they get processed.

Steps to Reproduce:

Merge the bom.xml files into one: docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli merge --input-format xml --input-files /tmp/bom_1.xml /tmp/bom_2.xml --output-file /tmp/bom_merged.xml

Upload the file into Dependecy Track project.

Expected Behavior:

Components and dependecies to be recognized.

Environment:

  • Dependency-Track Version: v4.3.6
  • Distribution: Docker
  • BOM Format & Version: XML format, CycloneDX Maven plugin v2.5.3
  • Database Server: PostgreSQL
  • Browser: Firefox

Additional Details:

None

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
lazyw0lfcommented, Feb 11, 2022

I did the validation/analyze with CycloneDX CLI and this is the result: # docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli analyze --input-file /tmp/bom_merged.xml Analysis results: BOM Version: 1

# docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli validate --input-file /tmp/bom_merged.xml Validating XML BOM… BOM validated successfully.

I will try checking the logs or if nothing shows up I will try to set up a dev env for testing.

Thanks

0reactions
nil4commented, Feb 12, 2022

You may be running into https://github.com/DependencyTrack/dependency-track/issues/1214, due to recent cyclonedx-cli versions writing merged output with a UTF-8 BOM (byte-order-mark), which DT v4.3.6 rejects as invalid on upload.

Due to this mismatch, validating the file with cyclonedx-cli may not flag the issue, but the upload will not be accepted.

Read more comments on GitHub >

github_iconTop Results From Across the Web

CycloneDX Tool Center
A free online service that generates SBOM and SaaSBOM directly from executable code. Vulnerability and license information are also analyzed using generated ...
Read more >
Importing CycloneDX BoM into Dependency-Track - YouTube
Your browser can't play this video. ... CycloneDX is a lightweight BoM specification designed for use in application security contexts and ...
Read more >
@appthreat/cdxgen - npm
Creates CycloneDX Software Bill-of-Materials (SBOM) from source or ... There are no other projects in the npm registry using @appthreat/cdxgen.
Read more >
5 tools for generating SBOM - Which is the best tool?
But you must remember to enable CycloneDX for each language in your software (which can require a bit of work). However, if you...
Read more >
Tweets with replies by CycloneDX SBOM Spec (OWASP ...
OWASP CycloneDX is a modern standard for the software supply chain. ... We do not support merging right now, but v4.7 (to be...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Vulnerabilities not detected

Next page

improperly quoted identifiers in sql queries