Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create SBOM for package-lock.json in server mode #1530

Open
prabhushan opened this issue Jan 6, 2025 · 5 comments
Open

Unable to create SBOM for package-lock.json in server mode #1530

prabhushan opened this issue Jan 6, 2025 · 5 comments

Comments

@prabhushan
Copy link

prabhushan commented Jan 6, 2025
edited
Loading

Hi,

I am trying to create SBOM.json for node application. It generates an empty SBOM.. not sure what i am missing. Please guide what am i missing - I tried with all types as mentioned on the document - nodejs, npm , js , javascript

package-lock.json

curl --location --request POST 'http://127.0.0.1:9090/sbom?path=%2Fapp&type=js'

{ "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:33000064-9424-4c1b-aa8d-06ad5b6f1309", "version": 1, "metadata": { "timestamp": "2025-01-06T04:59:37Z", "tools": { "components": [ { "group": "@cyclonedx", "name": "cdxgen", "version": "11.0.9", "purl": "pkg:npm/%40cyclonedx/[email protected]", "type": "application", "bom-ref": "pkg:npm/@cyclonedx/[email protected]", "publisher": "OWASP Foundation", "authors": [ { "name": "OWASP Foundation" } ] } ] }, "authors": [ { "name": "OWASP Foundation" } ], "lifecycles": [ { "phase": "build" } ], "component": { "group": "", "name": "jsforwp-blocks", "version": "2.0.0", "type": "application", "purl": "pkg:npm/[email protected]", "bom-ref": "pkg:npm/[email protected]" }, "properties": [] }, "components": [], "dependencies": [ { "ref": "pkg:npm/[email protected]", "dependsOn": [] } ], "annotations": [] }

I am able to generate for dockerfile, java (pom.xm) and python.

docker command - docker run -v /cdxgen/tmp:/tmp -e CDXGEN_DEBUG_MODE=debug -p 9090:9090 -v /cdxgen:/app:rw -itd ghcr.io/cyclonedx/cdxgen:v11.0.9 -r /app --server --server-host 0.0.0.0

I noticed it when i use CLI mode it is working if I pass type as "js"

cdxgen -r -o bom.json -t js .
@prabhu
Copy link
Collaborator

prabhu commented Jan 6, 2025

Any errors when you set the CDXGEN_DEBUG_MODE=debug in server mode? Also, are you running cdxgen against the full source code of the application?

@prabhushan
Copy link
Author

Hi @prabhu thanks for responding

  1. There are no errors..
    Image

  2. But am running running on the package-lock.json with CLI , It works fine for the package-lock.json file
    cdxgen -o bom.json -t js .

cdxgen --version
8.6.0

@prabhu
Copy link
Collaborator

prabhu commented Jan 7, 2025

No idea. Can you upgrade and try with the latest version?

@prabhushan
Copy link
Author

Hi @prabhu - you mean for the server mode? Yes same thing.. Could I send the package-lock.json if you could try from your end.

@prabhu
Copy link
Collaborator

prabhu commented Jan 8, 2025

Like I said, cdxgen requires full source code not just the lock file. Running the latest v11 version with CDXGEN_DEBUG_MODE=debug environment variable will show the exact error as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prabhu @prabhushan