Improve --cyclonedx output option
#2987
Comments
|
@DennisClark can you try with "--package" ? It should not crash anyway. |
|
Running it with |
|
I got beyond the crash by specifying the --package option. Now there is a rather different problem which might be called "lost in translation". The samples provided for testing with sctk did not produce really interesting results, so I extracted a folder from `libX11-1.7.2.tar.bz2' and scanned that. The results using the --json-pp output option are extensive and detailed, but running the same scan with the --cyclonedx output option produces a very limited file with hardly any content. Associated files attached. Here are my commands:
|
|
@DennisClark Thanks... that's super useful to track this issue. |
Avoids crashing when generating a cyclonedx sbom from scancode-toolkit when there aren't any package options specified. Also show a warning message in the CLI and add a warning in the BOM metadata. Reference: #2987 Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
|
@DennisClark The above PR addresses the crash.
Please review the warning text also btw. As for the |
|
@AyanSinhaMahapatra The warning text provided in your comment is good and very informative, thanks. No changes suggested. |
Avoids crashing when generating a cyclonedx sbom from scancode-toolkit when there aren't any package options specified. Also show a warning message in the CLI and add a warning in the BOM metadata. Reference: #2987 Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Do not fail without packages in cyclonedx #2987
|
a helpful link here: |
|
another helpful link: |
Avoids crashing when generating a cyclonedx sbom from scancode-toolkit when there aren't any package options specified. Also show a warning message in the CLI and add a warning in the BOM metadata. Reference: nexB#2987 Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
|
The bug is fixed and we are keeping this open to ensure we can report more useful data. |
AyanSinhaMahapatra
changed the title
--cyclonedx output option
|
From @pombredanne at this comment:
|
|
See a sample output at #3016 (comment) for reference |
|
CycloneDX v1.5 was released last month. @pombredanne do you think it would be worthwhile to add this support? Would you maintain legacy version support as well? |
|
@eastmadc sure! I think the work will consist in migrating to this library https://gitlab.com/hoppr/hoppr-cyclonedx-models/-/tree/main/hoppr_cyclonedx_models that we already use in ScanCode.io and already has support for CycloneDX 1.5 (@jhlmco and team Thank you BTW.. ! )
I think we should. |
Running scancode-toolkit-31.0.0b5 on MacOS 11.6.6
The --json-pp output option works fine, but
the --cyclonedx output option fails.
scancode-toolkit-31.0.0b5 % ./scancode --license --copyright --cyclonedx scancode_results_cyclonedx.json samples
Setup plugins...
Collect file inventory...
Scan files for: licenses, copyrights with 1 process(es)...
[####################] 66
ERROR: failed to run output plugin: cyclonedx:
Traceback (most recent call last):
File "//scancode-toolkit-31.0.0b5/src/scancode/cli.py", line 1067, in run_codebase_plugins
plugin.process_codebase(codebase, **kwargs)
File "//scancode-toolkit-31.0.0b5/src/formattedcode/output_cyclonedx.py", line 735, in process_codebase
bom = CycloneDxBom.from_codebase(codebase)
File "//scancode-toolkit-31.0.0b5/src/formattedcode/output_cyclonedx.py", line 633, in from_codebase
packages = codebase.attributes.packages
AttributeError: 'CodebaseAttributes' object has no attribute 'packages'
Scanning done.
Summary: licenses, copyrights with 1 process(es)
Errors count: 0
Scan Speed: 1.12 files/sec.
Initial counts: 44 resource(s): 33 file(s) and 11 directorie(s)
Final counts: 44 resource(s): 33 file(s) and 11 directorie(s)
Timings:
scan_start: 2022-06-08T180404.780531
scan_end: 2022-06-08T180436.257832
setup_scan:licenses: 2.00s
setup: 2.00s
scan: 29.42s
total: 31.49s
Removing temporary files...done.
The text was updated successfully, but these errors were encountered: