cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard
verified publisher icon CycloneDX

Dependency Graph cannot be generated

Open mariusgiesen opened this issue 2 years ago • 10 comments

Hi I think I ran into the same issue as described here: https://github.com/CycloneDX/cdxgen/issues/243

When generating a bom.json with "cdxgen -o bom.json" and uploading the file into Dependency Track (https://docs.dependencytrack.org/) it does not create a dependency graph.

I used this project as a sample: https://github.com/acemilyalcin/sample-node-project

If I try "cyclonedx-npm --output-file bom.json" it works.

Here are both bom files:

Bildschirm­foto 2023-02-27 um 10 58 42

Bildschirm­foto 2023-02-27 um 10 58 55

Thank you in advance!

mariusgiesen avatar Feb 27 '23 10:02 mariusgiesen

@mariusgiesen, please retest with 8.1.2

prabhu avatar Feb 28 '23 03:02 prabhu

The issue was fixed in 8.1.2 but while working with projects containing multiple sub projects for example if a project has a backend and the frontend then cdxgen just uses one of them as bom-ref which leads to the tree containing only half of the components, So it will either have only frontend components or only backend components.

@prabhu any fix regarding that possible?

phoenix-aditya avatar Feb 28 '23 13:02 phoenix-aditya

@phoenix-aditya, do you have an example project to replicate this issue?

prabhu avatar Feb 28 '23 20:02 prabhu

@prabhu For example in a project like this which contains maven and npm packages, https://github.com/darecoder/Polling-App only the npm packages are part of the dependency tree on dependency tracker.

The issue i can see is that as the npm packages and maven packages are not dependent on each other therefore 2 separate trees are being generated and cdxgen picks the root of one of those trees.

The solution as far as i can see would be to either add a false root and combine all the roots together or render multiple trees in dependency tracker

phoenix-aditya avatar Mar 02 '23 07:03 phoenix-aditya

@phoenix-aditya could you file an enhancement request for dependency-track to render multiple subtrees?

prabhu avatar Mar 02 '23 17:03 prabhu

@prabhu is this feature addition possible? https://github.com/DependencyTrack/dependency-track/issues/2572#issuecomment-1458013850

I guess the feature is not required in cyclonedx Plugins as the problem wont exist as they are tech stack dependent , Whereas is a part of cdxgen as cdxgen supports generation of sboms with multiple tech stack projects therefore can have multiple dependency trees for each.

phoenix-aditya avatar Mar 09 '23 18:03 phoenix-aditya

@phoenix-aditya

I guess the feature is not required in cyclonedx Plugins as the problem wont exist as they are tech stack dependent

Even under same tech stack (Java/gradle), I'm facing the same issue if you have subprojects under subdirs with different gradle files. The superproject and the subproject are only related in terms of superdirectory and subdirectories and do not have any parent-dependency relation and thus not rendered in DT.

Hritik14 avatar Jul 19 '23 22:07 Hritik14

I'm also having issues seeing a Dependency Graph in Dependency Track when using cdxgen version 9.3.1. I've tested across npm, maven and nuget repositories with the same outcome (no dependency graph)

setchy avatar Aug 04 '23 18:08 setchy

@setchy could you kindly share any test projects and generated sbom to reproduce the issue? If the projects are private, you can share them via discord.

https://discord.gg/pF4BYWEJcS

prabhu avatar Aug 05 '23 04:08 prabhu

@setchy could you kindly share any test projects and generated sbom to reproduce the issue? If the projects are private, you can share them via discord.

https://discord.gg/pF4BYWEJcS

Raised https://github.com/CycloneDX/cdxgen/issues/447 after doing some further debugging locally

setchy avatar Aug 08 '23 19:08 setchy