No SBOM generated when FETCH_LICENSE=true is set

[emcfins]

Hello!

We require the licenses to be included in the dependencies when we generate our SBOMs.

When FETCH_LICENSE=true is included in the command to run against our codebases, in some cases, the command ends but no SBOM is generated.

Cause found:

Through some testing, it turns out that the cache: gotHttpCache, part of the cdxgenAgent is causing the issue.
The command doesn't throw any errors or exceptions that I can see, even with CDXGEN_DEBUG_MODE=debug set.

When I remove that parameter from the agent, the SBOM is generated without a problem.

What is the purpose of the cache here? I see that gotHttpCache is initiated with new Map() right before included in the agent but I'm not too clear on what it's doing.

Thanks

[emcfins]

I'm happy to submit a PR to remove it but I wanted to better understand the impact of doing it before submitting the change.

Thanks!

[prabhu]

It's an http cache which must help speed up subsequent calls. Is anything else going on in your environment like a proxy or redirection so the cache is getting filled with empty values?

[emcfins]

Nothing else is different, just enabling fetching the license. It has worked with previous versions.

I'm not sure how to check the cache status for debugging - is that worth diving into as a possible cause of this issue?

[prabhu]

Maybe we support an option (environment variable) to disable caching? Might help server use cases too.

[emcfins]

I think that sounds good. Is that something you'd be open to receiving a PR for?

[prabhu]

Absolutely!