This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
SBOM is different on package.json with same command on different systems #474
Labels
question
Further information is requested
Describe the bug
Hello,
we ran into an issue, where the output of the generated SBOM is different if executed in the Jenkins environment compared to the results if I execute the command locally.
We use the following command to generate SBOM
npx --yes -d @cyclonedx/cyclonedx-npm@^1 --output-file "..\..\..\bom\components\portal_frontend.json" --omit dev
The major difference is that in the Jenkins environment an additional
hashes
property is generated for each entry. That itself isn´t an issue for us at all in general but there is one exception:We also have included the fontawesome-pro package, which doesn´t come from npmjs but the FA npm registry. In this case the
hashes
property is not generated but the PURL is extended.If I execute the mentioned command locally the tool generates
"purl": "pkg:npm/%40fortawesome/fontawesome-pro@6.2.1?download_url=https://npm.fontawesome.com/@fortawesome/fontawesome-pro/-/6.2.1/fontawesome-pro-6.2.1.tgz"
In the Jenkins environment it instead generates
"purl": "pkg:npm/%40fortawesome/fontawesome-pro@6.2.1?checksum=sha-512:74793b8a209fe4c0a6a14be6ad8cdf37f23781e6e9829035a2a94e7df80e4e19ec680478929690e58313764746f7d39fd619cdd01a24e91f87136f335dbdd23a&download_url=https://npm.fontawesome.com/@fortawesome/fontawesome-pro/-/6.2.1/fontawesome-pro-6.2.1.tgz"
This leads to the issue, that our Dependency Track rejects the SBOM file cause that specific purl entry exceeds the max length
![image](https://user-images.githubusercontent.com/8461282/216549475-0b6d7cf9-779d-4da2-bb95-a962ea814126.png)
I don´t know if that limitation comes from the specification or is an internal limitation of Dependency Track.
I was able to use the short purl options as a first workaround, however my main questions are:
Why is the output different from when I execute the command locally and is there a reason, that for the external registry, the hash is written into the PURL which isn´t the case for packages coming from npmjs?
Expected behavior
Identical output SBOM in local and jenkins environment
Screenshots or output-paste
If applicable, add screenshots or past the output to help explain your problem.
Environment
Local
Jenkins
Additional context
Some screenshot if I diff the local (left) and jenkins (right) output:
![image](https://user-images.githubusercontent.com/8461282/216550646-3ee38972-0508-46b0-80c7-032c13645de3.png)
The text was updated successfully, but these errors were encountered: