Using the gh-gomod-generate-sbom action, fails when execution the "Cheap trick" gocmd.ModWhy call #230
Comments
|
Prob. related with not being able to download the private repo... or something related. |
|
Hello team, any updates about this issue? I tried using the docker image, tag |
|
Is it possible to provide some kind of minimal reproducer for this? I have not been able to replicate this so far. Generally, if a project depends on private modules, then the usual setup of |
nscuro
changed the title
|
From my side, I couldn't try it with Github actions, but I did it using docker. go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
# in the dir of my project:
cyclonedx-gomod mod -json -output bom.json .The BOM file is generated correctly. But then, running the docker container, using as volume the root of my project: docker run -it \
-v "$(pwd):/usr/src/test" \
-v "$(pwd)/reports:/out" \
cyclonedx/cyclonedx-gomod:v1.4 mod -json -output bom.json /usr/src/testI have this output: I don't know the root cause, but with this, I'm not sure that's related to private repos, it seems an error executing the |
|
Thanks for the input @bcordobaq. I ran the Which lead me to this issue: golang/go#26280 (comment) We use a non-root user in our cyclonedx-gomod/Dockerfile.goreleaser Lines 3 to 7 in c44a3b1 Adding this to the Can you verify that this resolves the issue? If so, I'll get this added to our |
|
I'll also see if I can improve the logging. Seems like currently we're swallowing the actual error message, which is not helpful. |
|
Actually it is logged in debug mode (with |
caused by golang/go#26280 (comment) relates to #230 Signed-off-by: nscuro <nscuro@protonmail.com>
|
Hi @nscuro , first, thank you for your quick response! Effectively, I added the env variable in the docker command, and it works well 🎉 , this was my probe: docker run -it \
-v "$(pwd):/usr/src/test" \
-v "$(pwd)/reports:/out" \
-e "GOCACHE=/tmp/gocache" \
cyclonedx/cyclonedx-gomod:v1.4 mod -json -output bom.json /usr/src/testThank you!!! Anyways, I saw your MR, which is merged, and I've tried also the docker docker run -it \
-v "$(pwd):/usr/src/test" \
-v "$(pwd)/reports:/out" \
cyclonedx/cyclonedx-gomod mod -json -output /out/bom.json /usr/src/test |
Problem
Currently I'm trying to integratie the generation of a SBOM for one of our Go repos. The gh-gomod-generate-sbom action is used. This actually fails with the error:
{"level":"error","error":"failed to download modules: command `/usr/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go` failed: exit status 1","time":"2022-12-16T16:28:08Z"}Looking at this line and the subsequent call to gocmd.ModWhy the error "failed to download modules: ..." doesn't actually indicate a failure of downloading modules, but more generally a failure when running the command (in this case `go mod why -m -vendor github.com/CycloneDX/cyclonedx-go).
This will call private repo's. So in that sense, it looks like this issue #206. But that one was closed without giving a hint what goes wrong.
On a local dev machine it works.
Question
Can somebody explain the above error when running cyclonedx-gomod through a GitHub Action?
Below the contents of the action:
The text was updated successfully, but these errors were encountered: