cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

cdxgen stucks inside a docker container

Open rohitcoder opened this issue 2 years ago • 5 comments

Hi There,

I was trying to run cdxgen inside a docker container, everytime cdxgen process stucks and it not moves ahead, i am not getting any error here.

I tried with NodeJS version 20.3.1 and with some previous versions also. It works perfectly in my Mac machine, but not inside a docker container. I tried debugging underyling command, which cdxgen is running, and i noticed underlying command is running successfully, but because of some reasons, cdxgen process is not moving ahead.

I tried running this command, and it works. No error and no lagging issues.

root@106b7630e816:/tmp/app# mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q

but when i try to run cdxgen, it just stucks after showing "Executing ...."

root@106b7630e816:/tmp/app# cdxgen
Executing 'mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q' in /tmp/app

Here /tmp/app contains this project https://github.com/appsecco/dvja

rohitcoder avatar Jul 14 '23 18:07 rohitcoder

Interesting. Any extra output with export CDXGEN_DEBUG_MODE=debug? It might be trying to collect the sbom for more languages so try running with -t java

prabhu avatar Jul 14 '23 18:07 prabhu

@prabhu this is the output with debug mode on

root@106b7630e816:/tmp/app# export CDXGEN_DEBUG_MODE=debug
root@106b7630e816:/tmp/app# cdxgen -o file.json        
Scanning .
Performing babel-based package usage analysis with source code at .
Found 2 npm packages at .
Executing 'mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputName=bom -DincludeTestScope=true' in /tmp/app
Extracting data from generated bom file /tmp/app/target/bom.json
Found 62 java packages at .
Parsing /tmp/app/target/dvja-1.0-SNAPSHOT.war

this is not moving ahead after "Parsing /tmp/app/target/dvja-1.0-SNAPSHOT.war"

I tried with -t java and it works

root@106b7630e816:/tmp/app# cdxgen -o file.json -t java
Executing 'mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputName=bom -DincludeTestScope=true' in /tmp/app
Extracting data from generated bom file /tmp/app/target/bom.json
root@106b7630e816:/tmp/app#

I think problem was a large .war file? So, i should explicitly define "java" type for getting BOM.

rohitcoder avatar Jul 15 '23 21:07 rohitcoder

Thanks @rohitcoder. How big is this war? Can you scan this war outside the docker environment to replicate the issue? You can use cdxgen -o file.json -t java /tmp/app/target/dvja-1.0-SNAPSHOT.war

prabhu avatar Jul 15 '23 23:07 prabhu

Hey @prabhu

Outside of docker environment it not stucks, but gives an error

kumarohit@kumarohit-MacBook-Pro Desktop % cdxgen -o file.json -t java dvja-1.0-SNAPSHOT.war
 java.io.IOException: license : could not create directory
	at jdk.jartool/sun.tools.jar.Main.extractFile(Main.java:1449)
	at jdk.jartool/sun.tools.jar.Main.extract(Main.java:1383)
	at jdk.jartool/sun.tools.jar.Main.run(Main.java:392)
	at jdk.jartool/sun.tools.jar.Main.main(Main.java:1700)

Cleaning up /var/folders/mb/tx9zwghs4m5649w4b5h4b_s00000gn/T/war-deps-u1bQsW

rohitcoder avatar Jul 16 '23 07:07 rohitcoder

@rohitcoder is this issue still present in the latest cdxgen?

prabhu avatar Jan 31 '24 00:01 prabhu