Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency Graph Information Missing in CycloneDX SBOMs #6396

Closed
twright-0x1 opened this issue Jan 25, 2023 · 4 comments
Closed

Dependency Graph Information Missing in CycloneDX SBOMs #6396

twright-0x1 opened this issue Jan 25, 2023 · 4 comments
Labels
duplicate An issue that duplicates another issue

Comments

@twright-0x1
Copy link

This has a tangential relation to the earlier issue #3906.

When I use ort to generate an sbom, if the sbom type is SPDX, I see dependency graph information (at the end of the SBOM file). Whereas, if I select CycloneDX as the type, it appears that dependency graph information is missing.

My test case is a clone of the WebGoat project. I'm using a Docker install of ort... If I generate an Analyzer file with:

docker run --rm -v /MyStuff/:/project ort --info analyze -i /project/WebGoat --output-dir /project

and then an SPDX SBOM with:

docker run --rm -v /MyStuff/:/project ort --info report -i /project/analyzer-result.yml -f SpdxDocument -o /project

I see the expected dependency graph information at the end of the file. E.g., here's a snippet:

relationships:
- spdxElementId: "SPDXRef-Package-Maven-cglib-cglib-nodep-2.2"
  relationshipType: "GENERATED_FROM"
  relatedSpdxElement: "SPDXRef-Package-Maven-cglib-cglib-nodep-2.2-source-artifact"
- spdxElementId: "SPDXRef-Package-Maven-ch.qos.logback-logback-classic-1.2.11"
  relationshipType: "DEPENDS_ON"
  relatedSpdxElement: "SPDXRef-Package-Maven-ch.qos.logback-logback-core-1.2.11"

Whereas, if I generate a CycloneDX SBOM with:

docker run --rm -v /MyStuff/:/project ort --info report -i /project/analyzer-result.yml -f CycloneDx -o /project

I don't find any dependency data.

@sschuberth
Copy link
Member

This has a tangential relation to the earlier issue #3906.

Mind explaining why only "tangential"? I'd say this is an exact duplicate... or am I missing something?

@twright-0x1
Copy link
Author

twright-0x1 commented Jan 25, 2023

Apologies if that was a poor selection of word. My thinking was that #3906 had a Maven focus. I'm seeing the missing graph information for projects like WebGoat and Bootstrap...so, not just Maven.

@sschuberth
Copy link
Member

My thinking was that #3906 had a Maven focus.

Just curious, how that? That issue does not even mention the word "Maven" 😉

Anyway, #3906 is meant to be package-manager-agnostic (like any ORT report format is). So are we good to close this as a duplicate?

@twright-0x1
Copy link
Author

Sure thing! Happy to see this issue is considered relevant, still.

@sschuberth sschuberth added the duplicate An issue that duplicates another issue label Jan 25, 2023
@sschuberth sschuberth closed this as not planned Won't fix, can't repro, duplicate, stale Jan 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate An issue that duplicates another issue
Projects
None yet
Development

No branches or pull requests

2 participants