Comments (7)
thaarbach
commented on August 15, 2024
1
Is there any update on this issue? After generate a SBoM for a multi module gradle project with java, npm, python and some other stuff i got a SBoM containing all dependencies of the project, but if i upload the SBoM to Dependeny Track we got the following dependency server log message:
2023-08-04 10:55:24,160 ERROR [BomUploadProcessingTask] Error while processing bom
2023-08-04T10:55:24.160432944Z org.cyclonedx.exception.ParseException: Unable to parse BOM from byte array
2023-08-04T10:55:24.160438112Z at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:70)
2023-08-04T10:55:24.160442368Z at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:105)
2023-08-04T10:55:24.160446458Z at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
2023-08-04T10:55:24.160450728Z at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
2023-08-04T10:55:24.160454724Z at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
2023-08-04T10:55:24.160459128Z at java.base/java.lang.Thread.run(Unknown Source)
2023-08-04T10:55:24.160463436Z Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `java.util.ArrayList<org.cyclonedx.model.Tool>` from Object value (token `JsonToken.START_OBJECT`)
2023-08-04T10:55:24.160469276Z at [Source: (byte[])"{
2023-08-04T10:55:24.160473124Z "bomFormat": "CycloneDX",
2023-08-04T10:55:24.160477126Z "specVersion": "1.5",
2023-08-04T10:55:24.160481083Z "serialNumber": "urn:uuid:6c32c3ad-f528-4761-9ca8-6ea0f7ef10f9",
2023-08-04T10:55:24.160485421Z "version": 1,
2023-08-04T10:55:24.160505327Z "metadata": {
2023-08-04T10:55:24.160509769Z "timestamp": "2023-08-04T10:38:40.503Z",
2023-08-04T10:55:24.160514209Z "tools": {
2023-08-04T10:55:24.160518030Z "components": [
2023-08-04T10:55:24.160521962Z {
2023-08-04T10:55:24.160525735Z "group": "@cyclonedx",
2023-08-04T10:55:24.160529675Z "name": "cdxgen",
2023-08-04T10:55:24.160533726Z "version": "9.3.1",
2023-08-04T10:55:24.160537684Z "purl": "pkg:npm/%40cyclonedx/[email protected]",
2023-08-04T10:55:24.160541844Z "type": "application",
2023-08-04T10:55:24.160545761Z "bom-ref": "pkg:npm/@cyclonedx/[email protected]"
2023-08-04T10:55:24.160549771Z }
2023-08-04T10:55:24.160553435Z ]
2023-08-04T10:55:24.160557227Z "[truncated 841876 bytes]; line: 8, column: 14] (through reference chain: org.cyclonedx.model.Bom["metadata"]->org.cyclonedx.model.Metadata["tools"])
2023-08-04T10:55:24.160561870Z at com.fasterxml.jackson.databind.exc.MismatchedInputException.from(MismatchedInputException.java:59)
2023-08-04T10:55:24.160566235Z at com.fasterxml.jackson.databind.DeserializationContext.reportInputMismatch(DeserializationContext.java:1746)
2023-08-04T10:55:24.160570420Z at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1520)
2023-08-04T10:55:24.160574673Z at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1467)
2023-08-04T10:55:24.160580178Z at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.handleNonArray(CollectionDeserializer.java:396)
2023-08-04T10:55:24.160584292Z at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:252)
2023-08-04T10:55:24.160588432Z at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
2023-08-04T10:55:24.160592437Z at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
2023-08-04T10:55:24.160596535Z at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
2023-08-04T10:55:24.160600761Z at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
2023-08-04T10:55:24.160604812Z at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
2023-08-04T10:55:24.160608959Z at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
2023-08-04T10:55:24.160613014Z at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
2023-08-04T10:55:24.160617000Z at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
2023-08-04T10:55:24.160625314Z at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4730)
2023-08-04T10:55:24.160629451Z at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3738)
2023-08-04T10:55:24.160633418Z at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:68)
2023-08-04T10:55:24.160637560Z ... 5 common frames omitted
Using Dependency Track 4.8.2 and cdxgen latest docker image.
EDIT:
Got it to work after set --spec-version 1.4.
from cdxgen.
prabhu
commented on August 15, 2024
@mattwongsd Thank you filing this defect. Looks like the name attribute is duplicated possibly because we are getting an object instead of a string here
https://github.com/AppThreat/cdxgen/blob/master/index.js#L94
Could you kindly send a PR so that we hardcode the name to resolve this issue?
from cdxgen.
prabhu
commented on August 15, 2024
On locally the structure looks fine so I'm confused a bit. Could you share the node version used? Also, cdxgen can upload directly to dependency track. Is that something you could try as well when you get a chance?
from cdxgen.
prabhu
commented on August 15, 2024
@mattwongsd any updates regarding this?
from cdxgen.
commented on August 15, 2024
The upload to DT does not work. I do not get any feedback when I provided the command arguments,
from cdxgen.
prabhu
commented on August 15, 2024
@mattwongsd Any luck with the new version? Once this works, I might ask for your help to replace use of request package with got. It is used only for bom submission atm.
from cdxgen.
prabhu
commented on August 15, 2024
@thaarbach Downstream tools like dependency-track are yet to be updated to cyclonedx 1.5. The error Cannot deserialize value of type java.util.ArrayList<org.cyclonedx.model.Tool> indicates the issue with spec compliance. cdxgen > v9.2.x would attempt to use 1.4 spec version when the server url or api key is passed. Passing the version manually is also fine.
https://github.com/CycloneDX/cdxgen/blob/master/bin/cdxgen.js#L157
from cdxgen.
Related Issues (20)
- [pnpm] support for catalog
- [cmake] Triage results for opencv
- [Gradle] Multi-threaded mode does not work with overridden dependencies tasks
- [python] Dependency tree has duplicate roots after a local pip install
- [container] Temp directories are no longer cleared
- [documentation] language and package manager specific docs
- [python] Atom slicing issues
- [container] --deep mode for containers
- [python] support for specifying pip extras_require
- [validation] Improve iri validation logic
- Add support for NPM, Golang, Rust and Nuget indexes as environment variable HOT 2
- Spec version 1.5 and 1.6 causing error HOT 5
- [security] formulation.source.ref inadvertently could include CI secrets HOT 1
- Support for pixi.lock format
- Arg `--required-only` ignored HOT 5
- --exclude-type doesn't work HOT 5
- Support for regex in filter object while running /sbom HOT 9
- Long (ever?) running process when combining FETCH_LICENSE=true and PREFER_MAVEN_DEPS_TREE=true HOT 13
- [windows] universal mode results in numerous oci errors
- docs: update server arguments
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cdxgen.