Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM is different on package.json with same command on different systems #474

Closed
Serraniel opened this issue Feb 3, 2023 · 0 comments
Closed

SBOM is different on package.json with same command on different systems #474

Serraniel opened this issue Feb 3, 2023 · 0 comments
Labels
question Further information is requested

Comments

@Serraniel
Copy link

Describe the bug

Hello,

we ran into an issue, where the output of the generated SBOM is different if executed in the Jenkins environment compared to the results if I execute the command locally.
We use the following command to generate SBOM
npx --yes -d @cyclonedx/cyclonedx-npm@^1 --output-file "..\..\..\bom\components\portal_frontend.json" --omit dev

The major difference is that in the Jenkins environment an additional hashes property is generated for each entry. That itself isn´t an issue for us at all in general but there is one exception:
We also have included the fontawesome-pro package, which doesn´t come from npmjs but the FA npm registry. In this case the hashes property is not generated but the PURL is extended.
If I execute the mentioned command locally the tool generates
"purl": "pkg:npm/%40fortawesome/fontawesome-pro@6.2.1?download_url=https://npm.fontawesome.com/@fortawesome/fontawesome-pro/-/6.2.1/fontawesome-pro-6.2.1.tgz"

In the Jenkins environment it instead generates
"purl": "pkg:npm/%40fortawesome/fontawesome-pro@6.2.1?checksum=sha-512:74793b8a209fe4c0a6a14be6ad8cdf37f23781e6e9829035a2a94e7df80e4e19ec680478929690e58313764746f7d39fd619cdd01a24e91f87136f335dbdd23a&download_url=https://npm.fontawesome.com/@fortawesome/fontawesome-pro/-/6.2.1/fontawesome-pro-6.2.1.tgz"

This leads to the issue, that our Dependency Track rejects the SBOM file cause that specific purl entry exceeds the max length
image

I don´t know if that limitation comes from the specification or is an internal limitation of Dependency Track.
I was able to use the short purl options as a first workaround, however my main questions are:
Why is the output different from when I execute the command locally and is there a reason, that for the external registry, the hash is written into the PURL which isn´t the case for packages coming from npmjs?

Expected behavior

Identical output SBOM in local and jenkins environment

Screenshots or output-paste

If applicable, add screenshots or past the output to help explain your problem.

Environment

Local

  • @cyclonedx/cyclonedx-npm version: ^1
  • NPM version: 8.19.2
  • Node version: 18.12.1
  • OS: Windows 10

Jenkins

  • @cyclonedx/cyclonedx-npm version: ^1
  • NPM version: 8.8.0
  • Node version: 18.1.0
  • OS: Windows

Additional context

Some screenshot if I diff the local (left) and jenkins (right) output:
image
@Serraniel Serraniel added the bug Something isn't working label Feb 3, 2023
@jkowalleck jkowalleck added question Further information is requested and removed bug Something isn't working labels Feb 13, 2023
@CycloneDX CycloneDX locked and limited conversation to collaborators Feb 13, 2023
@jkowalleck jkowalleck converted this issue into discussion #502 Feb 13, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkowalleck @Serraniel