Bug: Reachability scan fails

[sjpritchard]

Expected Behavior

Report with reachability information is produced

Actual Behavior

depscan ends with error:

DEBUG [2024-04-23 06:29:51,230] BOM Profile: research
DEBUG [2024-04-23 06:29:51,231] ⚡︎ Executing "cdxgen -r -t java -o VulnerableApp-1.12.0.jar/bom.json --profile research VulnerableApp-1.12.0.jar"
DEBUG [2024-04-23 06:30:12,861] About to identify class names for all jars in the path /tmp/war-deps-WKbOt3
/tmp/war-deps-WKbOt3 did not contain any jars.
Maven search appears to be unavailable. Search will be skipped for all remaining packages.
Cleaning up /tmp/war-deps-WKbOt3
node:fs:2342
return binding.writeFileUtf8(
^

Error: ENOTDIR: not a directory, open 'VulnerableApp-1.12.0.jar/bom.json'
at Object.writeFileSync (node:fs:2342:20)
at file:///home/steve/.nvm/versions/node/v20.12.2/lib/node_modules/@cyclonedx/cdxgen/bin/cdxgen.js:469:12 {
errno: -20,
code: 'ENOTDIR',
syscall: 'open',
path: 'VulnerableApp-1.12.0.jar/bom.json'
}

Node.js v20.12.2

DEBUG [2024-04-23 06:30:12,861] Bom file VulnerableApp-1.12.0.jar/bom.json was not created successfully

Steps to Reproduce

depscan --profile research -t java -i VulnerableApp-1.12.0.jar --debug

Additional Information

• depscan 5.3.3
• cdxgen 10.4.2
• Running on WSL2 with Ubuntu 20.04

[sjpritchard]

I tried running it by referring to the folder and not the .jar file, with the following result:

depscan --profile research -t java -i test --debug

DEBUG [2024-04-23 06:40:10,648] BOM Profile: research
DEBUG [2024-04-23 06:40:10,648] ⚡︎ Executing "cdxgen -r -t java -o test/bom.json --profile research test"
DEBUG [2024-04-23 06:40:11,530] Bom file doesn't exist. Check if cdxgen was invoked with the correct type argument.
Set the environment variable CDXGEN_DEBUG_MODE to debug to troubleshoot the issue further.

DEBUG [2024-04-23 06:40:11,531] Bom file test/bom.json was not created successfully

[sjpritchard]

I realised that I should have been scanning the source, however I still get the following error:

depscan --profile research -t java -i ./VulnerableApp/src --debug

DEBUG [2024-04-23 07:00:36,166] BOM Profile: research
DEBUG [2024-04-23 07:00:36,166] ⚡︎ Executing "cdxgen -r -t java -o ./VulnerableApp/src/bom.json --profile research ./VulnerableApp/src"
DEBUG [2024-04-23 07:00:37,046] Bom file doesn't exist. Check if cdxgen was invoked with the correct type argument.
Set the environment variable CDXGEN_DEBUG_MODE to debug to troubleshoot the issue further.

DEBUG [2024-04-23 07:00:37,046] Bom file ./VulnerableApp/src/bom.json was not created successfully

[prabhu]

@sjpritchard Is there a public repo for the app you are scanning? The -i or --src argument must point to the directory containing the source. Often this would be the root directory containing pom.xml or package-lock.json etc.

If you are already inside inside the application directory, you can pass dot as the directory name. -i .