Include stdlib packages in application SBOM

[thediveo]

I've generated a BOM of an application with both -std as well as without: with -std there's only a single Go stdlib component included, without it all included stdlib components seem to be missing from the BOM. I'm using the recent 1.0.0 version, compiled from master only few days ago.

For instance, crypto packages are thus missing from the BOM generated on the basis of the sources, yet scanning the binary reveals that at least some of the crypto packages from the Go stdlib have been bound into the final binary.

Am I doing something wrong or missing some CLI flag that will include stdlib packages en detail into the BOM generated from the sources?

[nscuro]

This is indeed working as intended.

cyclonedx-gomod works with modules, not packages. The -std flag was introduced to provide a simple solution for indicating which version of Go / the standard library is used.

The app command has a -file flag though, which will show all files of a module that are used. We currently filter out all stdlib packages, but we could extend this functionality to include stdlib files as well.

[thediveo]

Thank you very much for your explanation! (me facepalming myself for mixing up modules and packages again)

Having -flag include stdlib packages would allow for simple postprocessing the bom in jq to get stdlib packages in addition to the modules, such as for ECC clearance.

[nscuro]

I've created #85 to include package information in SBOMs.

I'll rename this issue to reflect that packages of the standard library should also be included (if -std is set).

[nscuro]

This is now available in v1.1.0-alpha.1.

@thediveo If you'd like to try it out:

$ go install -v github.com/CycloneDX/cyclonedx-gomod@v1.1.0-alpha.1
$ cyclonedx-gomod app -packages -std -json -output bom.json /path/to/your/app

Please let me know if there's something missing in your opinion, or the tool doesn't behave like you expect.

Our own SBOMs now include packages as well, including those of the standard library, e.g. https://github.com/CycloneDX/cyclonedx-gomod/releases/download/v1.1.0-alpha.1/cyclonedx-gomod_1.1.0-alpha.1_linux_amd64.bom.json

[thediveo]

Unfortunately, I cannot get github.com/CycloneDX/cyclonedx-gomod@v1.1.0-alpha.1 to scan my application: trying to run cyclonedx-gomod app -packages -std -json -output bom.json ./cmd/lxkns on my OpenSource project thedive/lxkns always gives me: ERR error="failed to load modules: not a go module".

[nscuro]

@thediveo Ah, that's because the positional argument is expected to be the path to your module. ./cmd/lxkns should be provided via -main. Try this instead, assuming your working directory is the root of your module:

$ cyclonedx-gomod app -packages -std -json -output bom.json -main ./cmd/lxkns .