sbom-tool icon indicating copy to clipboard operation
sbom-tool copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Update version of tool winget points to

Open rfalanga opened this issue 1 year ago • 12 comments

I've installed sbom-tool using WinGet. It didn't add a sbom-tool command; instead, it installed a sbom command. (I am running this on a Windows 11 Professional machine.) (Also, I tried looking through both open and closed issues, but didn't find any reference to the problem I'm experiencing.

Following the instructions in the README, I issued this command:

sbom generate -b D:\GitHub\BlazorToDo\BlazorApp\BlazorApp\bin\Debug\net6.0 -bc D:\GitHub\BlazorToDo\BlazorApp\BlazorApp -o D:\SBoms\BlazorToDo

That resulted in this error:

Unexpected named argument: o

So, I then tryed output and OutputPath, but failed.

I saw in other issue someone suggested including an additional argument of -V. I tried that, but it didn't help and it certainly didn't make the error message verbose. In fact, it was exactly as before.

I thought I would try changing the "\" to "/", in the command string, but that didn't help. Same error message.

I am using PowerShell 7.4.1.

So, what am I doing wrong and how to I fix it?

rfalanga avatar Apr 09 '24 16:04 rfalanga

Hi @rfalanga, it appears that the version of the tool that is installed by default by winget and our docs are out of sync. When I tried to repro, winget installed version 1.5.2, but our docs in this repo are reflective of the current version, version 2.2.4. I have renamed this issue to track updating the version of the tool that winget points to.

In the meantime, you can either run sbom -h to see the command line arguments supported by the version of the tool that is installed by winget, or you can directly install a newer version of the tool from the releases page

sfoslund avatar Apr 09 '24 18:04 sfoslund

Hi @sfoslund, I've got to admit I hadn't thought of that possibility.

So, should I uninstall the version that WinGet installs, before getting it from the releases page?

rfalanga avatar Apr 09 '24 18:04 rfalanga

Yes, I would recommend uninstalling the old version.

sfoslund avatar Apr 09 '24 19:04 sfoslund

@sfoslund I've uninstalled the WinGet version. Then downloaded the Win64 version from the release page. I ran it, twice. It just flashes up briefly, then closes immediately. After that I brought up a new instance of PowerShell, but neither the sbom not the sbom-tool commands were recognized.

Am I doing something wrong?

rfalanga avatar Apr 09 '24 19:04 rfalanga

When you download the exe directly it is not added to your PATH automatically, so you'll need to either run the .exe file directly by navigating to the dir where you downloaded it to and running .\sbom-tool-win-x64.exe or adding the tool to your PATH manually. There's lots of direction online about how to add a exe to your PATH, including this stackoverflow post.

sfoslund avatar Apr 09 '24 19:04 sfoslund

i believe "-o" is a command for the validate command, not generate. "-b" is a directory where you can have the sbom written to.

This is the command i use to generate sboms.

 sbom-tool generate  -b ./ -bc ../sbomqs -nsb https://interlynk.io -pn lynk-api -pv v1.0.0 -ps interlynk.io -D true -pm true -cd "--DirectoryExclusionList **/scripts/** **/st
orage/** **/bin/**"

riteshnoronha avatar Apr 09 '24 19:04 riteshnoronha

Perhaps you're right, @riteshnoronha. The documentation I was looking at clearly said that -o was for output path. But according to @sfoslund, the version of sbom-tool I was trying to use, doesn't use that syntax.

BTW, I tried to find the sbom-tool where it was installed but haven't been able to find it. I think it is buried deep within the LocalData area on my Windows 11 machine.

rfalanga avatar Apr 11 '24 01:04 rfalanga

Perhaps you're right, @riteshnoronha. The documentation I was looking at clearly said that -o was for output path. But according to @sfoslund, the version of sbom-tool I was trying to use, doesn't use that syntax.

BTW, I tried to find the sbom-tool where it was installed, but haven't been able to find it. I think it is buried deep within the LocalData area on my Windows 11 machine.

rfalanga avatar Apr 11 '24 01:04 rfalanga

But according to @sfoslund, the version of sbom-tool I was trying to use, doesn't use that syntax.

I didn't look closely at the version of the tool that winget installed, so it's possible that it does use the -o syntax, I'm not sure, you would have to check the --help output.

But for the more recent versions, it does look like @riteshnoronha is correct and the -o syntax corresponds to the validate command, please check the arguments doc here and let me know if there's somewhere else you were looking that needs to be updated.

sfoslund avatar Apr 11 '24 14:04 sfoslund

It appears that this PR added the sbom-tool to winget, so to fix this item we would need to submit another PR: https://github.com/microsoft/winget-pkgs/pull/118723

sfoslund avatar Apr 11 '24 18:04 sfoslund

Sarah, are you asking me to create a PC to fix this item that involves WinGet?

rfalanga avatar Apr 14 '24 22:04 rfalanga

Nope, this issue was just triaged by the SBOM team and we made that note for when we get to fixing this in the future. If you want to help out and contribute that change feel free, otherwise we have this in our backlog to fix.

sfoslund avatar Apr 15 '24 15:04 sfoslund

Opened https://github.com/microsoft/winget-pkgs/pull/161043 to submit version 2.2.6

DaveTryon avatar Jul 01 '24 22:07 DaveTryon

@rfalanga, we just published version 2.2.6 via WinGet. Closing this out.

DaveTryon avatar Jul 02 '24 16:07 DaveTryon

Thank you, @DaveTryon

rfalanga avatar Jul 03 '24 00:07 rfalanga