Gradle SBOM Issue about cdxgen HOT 15 CLOSED

@Masireddy65 Could you kindly email me prabhu @ appthreat dot com so that we could do a separate troubleshooting session for you? It may or may not be related to this particular ticket. You could also rerun by setting the environment variable

SCAN_DEBUG_MODE=debug to see if there are any additional information.

from cdxgen.

I'm running into this issue, just trying to generate an SBOM from https://github.com/elastic/elasticsearch with cdxgen.

I am also able to run ./gradlew dependencies on the project successfully.

from cdxgen.

@navulirs Can you execute the below gradle command directly and let me know if it works correctly?

gradlew dependencies

Hi, Sorry for delayed response. It is working now. it has to do with the gradle version. Thanks

from cdxgen.

@navulirs Can you execute the below gradle command directly and let me know if it works correctly?

gradlew dependencies

from cdxgen.

@navulirs did you get a chance to try this?

from cdxgen.

Hello @prabhu, I had same issue for Gradle project. Tried gradlew deppendencies

Welcome to Gradle 7.0.2! Here are the highlights of this release:

• File system watching enabled by default
• Support for running with and building Java 16 projects
• Native support for Apple Silicon processors
• Dependency catalog feature preview

For more details see https://docs.gradle.org/7.0.2/release-notes.html Starting a Gradle Daemon (subsequent builds will be faster) FAILURE: Build failed with an exception. * What went wrong:
Unable to start the daemon process.
This problem might be caused by incorrect configuration of the daemon.
For example, an unrecognized jvm option is used.
Please refer to the User Manual chapter on the daemon at https://docs.gradle.org/7.0.2/userguide/gradle_daemon.html Process command line: C:\Program Files (x86)\Java\jre1.8.0_291\bin\java.exe -Xmx4096m -Dfile.encoding=windows-1252 -Duser.country=IN -Duser.language=en -Duser.variant -cp C:\Users\msrik.gradle\wrapper\dists\gradle-7.0.2-all\7era6s5ay7zsbhuvl0oc9g94s\gradle-7.0.2\lib\gradle-launcher-7.0.2.jar org.gradle.launcher.daemon.bootstrap.GradleDaemon 7.0.2
Please read the following process output to find out more:

Invalid maximum heap size: -Xmx4096m
The specified size exceeds the maximum representable size.
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit. * Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights. * Get more help at https://help.gradle.org

Can you please let me know, whats the best approach to generate BOM for similar Java/Gradle projects

from cdxgen.

@Masireddy65 Noticed a typo in gradlew dependencies There were 2 P.

This particular error sounds like related to your JVM version. Not sure if gradle 7 supports java 8.

Could you use the scan docker image if you aren't in a position to change the jvm version in your machine?

docker run --rm -e "WORKSPACE=${PWD}" -v "$PWD:/app" shiftleft/scan scan -t depscan

This would produce a bom as well as perform dependency scan.

from cdxgen.

Thanks for quick response @prabhu .

On Windows, the command changes slightly depending on the terminal.
cmd

docker run --rm -e "WORKSPACE=%cd%" -e "GITHUB_TOKEN=%GITHUB_TOKEN%" -v "%cd%:/app:cached" shiftleft/scan scan

I only found above command for windows cmd with github. However,I need to run a test on local directory of windows machine or may be on bitbucket pipeline. can you please help me tailer the command to my need here?

from cdxgen.

@Masireddy65 You can find bitbucket pipeline instruction here - https://slscan.io/en/latest/integrations/bitbucket/

from cdxgen.

Thanks @prabhu. Now, I have both bitbucket pipeline instruction and windows cmd docker run. Trying both only does SAST SCAN, Secrets audit etc. No dependency scan even with -depscan argument and obviously no BOM file saved at /reports.
Also,In terms of bitbucket i tried Docker version and received error in final step to find the file.
Windows cmd Attempts:
docker run --rm -v "%cd%:/app:cached" shiftleft/scan scan --type depscan
docker run --rm -v "%cd%:/app:cached" shiftleft/scan scan --type depscan,bom

Please find attached screenshots for all attempts and guide me accordingly. Appreciate your prompt response so far.

from cdxgen.

@ruckc elasticsearch repo appears to be requiring java 16. With java 16, gradlew dependencies is not returning the full tree for me so not sure how to make this work

 /mnt/work/sandbox/elasticsearch  master  ./gradlew dependencies                                                                                                                    1 err  25m 37s 
=======================================
Elasticsearch Build Hamster says Hello!
  Gradle Version        : 7.2
  OS Info               : Linux 5.13.13-051313-generic (amd64)
  JDK Version           : 16.0.2 (GraalVM Community)
  JAVA_HOME             : /home/prabhu/.sdkman/candidates/java/21.2.0.r16-grl
  Random Testing Seed   : 956BF8F9EB026B6A
  In FIPS 140 mode      : false
=======================================

> Task :dependencies

------------------------------------------------------------
Root project 'elasticsearch'
------------------------------------------------------------

es_distro_extracted_local
No dependencies

es_distro_file_local
No dependencies

jdk_provisioned_runtime
\--- adoptium_17:linux:17

A web-based, searchable dependency report is available by adding the --scan option.

BUILD SUCCESSFUL in 4s
20 actionable tasks: 1 executed, 19 up-to-date

Any ideas?

from cdxgen.

@ruckc I've added support for gradle multi-project apps such as elasticsearch in master. Below is the command used to test this.

GRADLE_MULTI_PROJECT_MODE=true SCAN_DEBUG_MODE=debug bin/cdxgen /mnt/work/sandbox/elasticsearch

For elasticsearch you need java 16. Could you kindly test and let me know how it looks so that I can release this feature?

from cdxgen.

Why did I report this error when analyzing the Grale project

from cdxgen.

@wujunhuge this must be due to the presence of space and brackets in the directory name. We have an existing issue like this for windows. Could you rename that project directory and try?

from cdxgen.

Thank you for your reply. I'll give it a try

from cdxgen.