cdxgen missed dependencies in go.mod

[almaz045]

I scanned the gitleaks repository for SBOM (cdxgen -o bom.json .), and it found 32 components out of 36 in the go.mod https://github.com/gitleaks/gitleaks

[prabhu]

@almaz045, For go, cdxgen uses go tooling to produce an SBOM for the build lifecycle.

1. First, the go list -deps command is used to get a list of direct and indirect dependencies

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L2726

2. Then go mod graph command is invoked to construct the dependency tree

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L2771

Could you investigate further by running these commands manually? If those 4 packages are not listed in the go list or go mod output, then they are genuinely unnecessary packages that could be ignored in the BOM.

[almaz045]

1. After running "go list -deps -f '{{with .Module}}{{.Path}} {{.Version}} {{.Indirect}} {{.GoMod}} {{.GoVersion}} { {.Main}}{{end}}'" The 5 lost dependencies were not on this list.
2. After running "go mod graph" all 5 lost dependencies were in this list.

[prabhu]

@almaz045 This is interesting. If the go mod graph included those dependencies, it must get captured here. Could you add some console.log and find out what might be going on?

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L2797

[almaz045]

@prabhu Can you suggest me how I should run it locally after changing index.js?

[prabhu]

@almaz045 Sure

git checkout -b <branch>
npm install
node bin/cdxgen.js -t go ...

Before sending the PR

npm run pretty
npm run lint
npm test