Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Metadata components should not have sub-components #763

Open
empwilli opened this issue Aug 22, 2024 · 2 comments
Open

Metadata components should not have sub-components #763

empwilli opened this issue Aug 22, 2024 · 2 comments

Comments

@empwilli
Copy link

As of now, cargo-cyclonedx explicitly creates sub-components for the component entry in the metadata for the respective compilation targets.

This appears to contradict with the suggestions in the Authoritative Guide to SBOM, that states, that "The SBOM should have a single bom.metadata.component without subcomponents".

This has the consequence, that generated SBoMs currently cannot be properly processed by third-party tools, e.g., Dependency Track.

@Shnatsel
Copy link
Contributor

Shnatsel commented Aug 22, 2024

More specifically, the guide states that subcomponents should be used in case of a "Multi-Product Solution" rather than a "Multi-Module Product".

You can work around this today with --describe=binaries, but perhaps we should adjust the --describe=crate mode and/or switch to a better default.

Could you share the exact error that DependencyTrack reports?

@empwilli
Copy link
Author

empwilli commented Aug 23, 2024

Hi, thanks for your advice.

You can work around this today with --describe=binaries, but perhaps we should adjust the --describe=crate mode and/or switch to a better default.

Sadly, I don't see too much difference in the resulting SBoMs:

 >  cargo cyclonedx --describe=crate -a
 >  cargo cyclonedx --describe=binaries -a
 >  diff my-project*.xml
2c2
< <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:5409cd74-0ee9-4d79-a6ff-59855524e122" version="1">
---
> <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:74c46a33-405f-49e2-980d-a592c338df5a" version="1">
4c4
<     <timestamp>2024-08-23T06:07:23.503610541Z</timestamp>
---
>     <timestamp>2024-08-23T06:07:14.152732469Z</timestamp>
25c25
<       <purl>pkg:cargo/[email protected]?download_url=file://.#src/main.rs</purl>
---
>       <purl>pkg:cargo/[email protected]?download_url=file://.</purl>

Could you share the exact error that DependencyTrack reports?

It boils down to parsing errors with Jackson in the cyclonedx-core-java package, I've already filed a bug over there, the Dependency Track error logs then contain the stack trace I quoted in CycloneDX/cyclonedx-core-java#447 (comment).

Edit: formatting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants