-
-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include stdlib packages in application SBOM #84
Comments
This is indeed working as intended. cyclonedx-gomod works with modules, not packages. The The |
Thank you very much for your explanation! (me facepalming myself for mixing up modules and packages again) Having |
I've created #85 to include package information in SBOMs. I'll rename this issue to reflect that packages of the standard library should also be included (if |
Signed-off-by: nscuro <nscuro@protonmail.com>
This is now available in @thediveo If you'd like to try it out: $ go install -v github.com/CycloneDX/cyclonedx-gomod@v1.1.0-alpha.1
$ cyclonedx-gomod app -packages -std -json -output bom.json /path/to/your/app Please let me know if there's something missing in your opinion, or the tool doesn't behave like you expect. Our own SBOMs now include packages as well, including those of the standard library, e.g. https://github.com/CycloneDX/cyclonedx-gomod/releases/download/v1.1.0-alpha.1/cyclonedx-gomod_1.1.0-alpha.1_linux_amd64.bom.json |
Unfortunately, I cannot get github.com/CycloneDX/cyclonedx-gomod@v1.1.0-alpha.1 to scan my application: trying to run |
@thediveo Ah, that's because the positional argument is expected to be the path to your module.
|
I've generated a BOM of an application with both
-std
as well as without: with-std
there's only a single Go stdlib component included, without it all included stdlib components seem to be missing from the BOM. I'm using the recent 1.0.0 version, compiled from master only few days ago.For instance, crypto packages are thus missing from the BOM generated on the basis of the sources, yet scanning the binary reveals that at least some of the crypto packages from the Go stdlib have been bound into the final binary.
Am I doing something wrong or missing some CLI flag that will include stdlib packages en detail into the BOM generated from the sources?
The text was updated successfully, but these errors were encountered: