No results when scanning a hierachical CycloneDX file from cyclonedx-cli

[Feelemoon]

When scanning a hierachical CycloneDX JSON file generated with cyclonedx-cli merge --hierachical [...] (https://github.com/CycloneDX/cyclonedx-cli) sbomer produces no output, although components are present (and sbombed when scanning the files before merge).

[djschleen]

@Feelemoon Can you provide a sample JSON file?

[Feelemoon]

Sure, here is an example showing the structure:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:[...]",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "0.72.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "Feelemoon@2023-02-22",
      "group": "flm",
      "name": "flm-cdx",
      "version": "2023-02-22"
    }
  },
  "components": [
    {
      "type": "container",
      "bom-ref": "/target.tar@sha256:[...]",
      "name": "/target.tar",
      "version": "sha256:[...]",
      "components": [
        {
          "type": "library",
          "bom-ref": "/target.tar@sha256:[...]:pkg:maven/org.hdrhistogram/[email protected]?package-id=90b007de82c26377",
          "group": "org.hdrhistogram",
          "name": "HdrHistogram",
          "version": "2.1.12",
          "licenses": [
            {
              "license": {
                "name": "http://creativecommons.org/publicdomain/zero/1.0/, https://opensource.org/licenses/BSD-2-Clause"
              }
            }
          ],
          "cpe": "cpe:2.3:a:HdrHistogram:HdrHistogram:2.1.12:*:*:*:*:*:*:*",
          "purl": "pkg:maven/org.hdrhistogram/[email protected]",
          "externalReferences": [
            {
              "url": "",
              "type": "build-meta",
              "hashes": []
            }
          ],
          "properties": []
[...]

[djschleen]

@Feelemoon if you could provide a full example, that would be awesome. Otherwise, can you check the output with the latest release of bomber? We fixed some output issues in that release.

Additionally, which provider do you happen to be using?

[Feelemoon]

I've tried to upgrade to 0.4.2 but it does not run on my machine (#145). 0.4.1 does not report anything.

[djschleen]

@Feelemoon can you try with v0.4.4

[Feelemoon]

@djschleen I've re-run it with v0.4.4 and it does not find any packages:

[...]
Version: 0.4.4
2023/04/22 22:45:03 Reading: combined.cdx.json
2023/04/22 22:45:04 Detected CycloneDX JSON
2023/04/22 22:45:05 Finished
■ No packages were detected. Nothing has been scanned.

[djschleen]

@Feelemoon Dang... good news is you can run it now so the cgo flag must be working. Strange that it's not finding a package. Would it be possible to get a full sbom in the format you are looking at?

[Feelemoon]

Please roll your own with cyclonedx-cli merge --hierachical sbom-1.json sbom-2.json ...

[djschleen]

Trying this:

cyclonedx-cli merge --hierarchical --input-files juiceshop.cyclonedx.json railsgoat.cyclonedx.json --output-file merged.json --name test --version 1.4

[djschleen]

Based on the previous command I posted, it generated this file: https://github.com/devops-kung-fu/bomber/blob/refactor/_TESTDATA_/sbom/merged.json

There must be a formatting issue with the generated merged file because it will not unmarshal into the CycloneDX provided structs. I tried changing to the CycloneDX provided BOMDecoder but there was no difference.

Good thing, is that the CycloneDX decoder will probably help process 1.5 spec in the future.

I'm going to close this for a few reasons... a) The merged file won't unmarshal, whereas each SBOM merged into it will unmarshal independently, and b) It's a bit of an anti-pattern to combine SBOMs as you tend to lose provenance.