Skip to content

License information may not be fully recorded #944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
schuhbsi opened this issue Feb 21, 2025 · 4 comments
Open

License information may not be fully recorded #944

schuhbsi opened this issue Feb 21, 2025 · 4 comments
Labels
needs triage Default status upon issue submission

Comments

@schuhbsi
Copy link

sbom-tool version: 3.1.0

I execute the following command in an Azure Devops pipeline:

sbom-tool generate -b ( B u i l d . A r t i f a c t S t a g i n g D i r e c t o r y ) b c {{ parameters.workingDirectory }} -pn $(Build.DefinitionName) -pv 1.0.0 -ps sbom -nsb https://sbom.com -li true -V Verbose -D true -lto 90

The following result is returned

Sbom-tool is already installed: 3.1.0

##[debug]Retrieving license information for 408 components took 85,7697623 seconds
##[warning]Encountered error while attempting to parse response. License information may not be fully recorded.
##[information]Found license information for 0 out of 408 unique components.

If I leave out the -lto parameter I get the timeout error

sbom-tool generate -b ( B u i l d . A r t i f a c t S t a g i n g D i r e c t o r y ) b c {{ parameters.workingDirectory }} -pn $(Build.DefinitionName) -pv 1.0.0 -ps sbom -nsb https://sbom.com -li true -V Verbose -D true

##[debug]Retrieving license information for 408 components...
##[warning]Error encountered while fetching license information from API, resulting SBOM may have incomplete license information: The request was canceled due to the configured HttpClient.Timeout of 30 seconds elapsing.
##[debug]Retrieving license information for 408 components took 30,020855 seconds

But strangely enough, sometimes the licence generation works even if the timeout is not specified
@sfoslund sfoslund added the needs triage Default status upon issue submission label Feb 24, 2025
@sfoslund
Copy link
Member

@schuhbsi I'm not sure I'm understanding the issues here- it sounds like the timeout is working as expected and terminating license discovery after the default of 30 seconds. We fetch license data from clearly defined which can sometimes be a long running operation or run into throttling, so it is expected that there will occasionally be cases in which license data gathering can take longer than the default of 30 seconds. Can you please clarify what this issue is/ what kinds of changes you would like to be made here?

@sfoslund sfoslund added needs customer input Awaiting input from user before proceeding and removed needs triage Default status upon issue submission labels Feb 27, 2025
@schuhbsi
Copy link
Author

@sfoslund Sorry that I did not express myself clearly. I would simply like to have the necessary licenses, i.e. license types, for my components that are integrated in the projects. But I have the following problem that I sometimes get a timeout or another error like here ( License information may not be fully recorded), although I would have increased the timeout with the parameter from the default value 30 seconds as here in the example to 90 seconds. However, I have to say that my project also includes a large number of components, sometimes over 1000, where a license should be found. Would the solution then be to set the timeout even higher or would there be other parameters besides -lto and -li that would be important for the sbom generation with licenses?

@sfoslund
Copy link
Member

No, there are no other parameters besides the ones you mentioned which should effect license gathering. If you have a large number of components then sometimes this can take some time as it requires external requests which can be long running or throttled. I would suggest trying to increase your timeout and see if that helps.

@schuhbsi
Copy link
Author

schuhbsi commented Mar 3, 2025
edited
Loading

@sfoslund I have now set the timeout to 300 seconds but unfortunately this error still occurs sometimes:

│ Component         │ Detection Time    │ # Components      │ # Explicitly     │
│ Detector Id       │                   │ Found             │ Referenced       │
├───────────────────┼───────────────────┼───────────────────┼──────────────────┤
│ CocoaPods         │ 1.5 seconds       │ 0                 │ 0                │
│ ConanLock         │ 1.5 seconds       │ 0                 │ 0                │
│ Go                │ 1.5 seconds       │ 0                 │ 0                │
│ Gradle            │ 1.5 seconds       │ 0                 │ 0                │
│ Ivy (Beta)        │ 0.19 seconds      │ 0                 │ 0                │
│ Linux             │ 0.23 seconds      │ 0                 │ 0                │
│ MvnCli            │ 0.24 seconds      │ 0                 │ 0                │
│ Npm               │ 1.5 seconds       │ 833               │ 0                │
│ NpmLockfile3      │ 1.5 seconds       │ 778               │ 20               │
│ NpmWithRoots      │ 1.5 seconds       │ 0                 │ 0                │
│ NuGet             │ 1.5 seconds       │ 0                 │ 0                │
│ NuGetPackagesConf │ 1.5 seconds       │ 0                 │ 0                │
│ ig                │                   │                   │                  │
│ NuGetProjectCentr │ 1.5 seconds       │ 0                 │ 0                │
│ ic                │                   │                   │                  │
│ PipReport         │ 1.2 seconds       │ 0                 │ 0                │
│ Pnpm              │ 1.5 seconds       │ 0                 │ 0                │
│ Poetry (Beta)     │ 1.5 seconds       │ 0                 │ 0                │
│ Ruby              │ 1.5 seconds       │ 0                 │ 0                │
│ RustCli           │ 1.5 seconds       │ 0                 │ 0                │
│ RustCrateDetector │ 1.5 seconds       │ 0                 │ 0                │
│ SPDX22SBOM        │ 1.5 seconds       │ 0                 │ 0                │
│ Vcpkg             │ 1.5 seconds       │ 0                 │ 0                │
│ Yarn              │ 1.5 seconds       │ 0                 │ 0                │
│ ───────────────── │ ───────────────── │ ───────────────── │ ──────────────── │
│ Total             │ 1.6 seconds       │ 1611              │ 20               │
└───────────────────┴───────────────────┴───────────────────┴──────────────────┘
##[information]""
##[information]""
##[information]Detection time: 1.5648677 seconds.
##[information]Scan Manifest file: "/tmp/ScanManifest_20250304070946604.json"
##[warning]Error encountered while fetching license information from API, resulting SBOM may have incomplete license information. Request returned status code: BadGateway
##[warning]Encountered error while attempting to parse response. License information may not be fully recorded.
##[information]Found license information for 0 out of 834 unique components.
##[information]Finished execution of the Generate workflow SBOMTelemetry {Result=Success, Errors=ErrorContainer`1 {Count=0, Errors=[]}, ...}

@DaveTryon DaveTryon added needs triage Default status upon issue submission and removed needs customer input Awaiting input from user before proceeding labels May 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage Default status upon issue submission
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sfoslund @DaveTryon @schuhbsi