cyclonedx-conan icon indicating copy to clipboard operation
cyclonedx-conan copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Metadata not correct if used with conanfile.py

Open weichslgartner opened this issue 1 year ago • 2 comments

When the conan project uses a conanfile.py instead of conanfile.txt the metadata is not correct. With the following conanfile.py:

import os
from conans import ConanFile, CMake

class TestConan(ConanFile):
    name = "conan-test"
    version = "1.0.0"
    author = "John J. Smith ([email protected])"
    license = "MIT"
    settings = "os", "compiler", "build_type", "arch"
    generators = "cmake", "cmake_find_package"

    def requirements(self):
        self.requires("fmt/8.0.0")
        if os.environ.get("build_flag"):
            self.requires("ms-gsl/3.1.0")

it produce the following output (with command cyclonedx-conan conanfile.py):

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:7d5b053a-fa8b-44ac-9f2b-0bff188f01cc",
  "version": 1,
  "metadata": {
    "component": {
      "bom-ref": "[email protected]",
      "type": "application",
      "name": "unknown",
      "version": "0.0.0"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:conan/[email protected]?repository_url=localhost",
      "type": "library",
      "name": "conan-test",
      "version": "1.0.0",
      "purl": "pkg:conan/[email protected]?repository_url=localhost"
    },
    {
      "bom-ref": "pkg:conan/[email protected]?repository_url=https://center.conan.io",
      "type": "library",
      "name": "fmt",
      "version": "8.0.0",
      "purl": "pkg:conan/[email protected]?repository_url=https://center.conan.io"
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:conan/[email protected]?repository_url=localhost",
      "dependsOn": [
        "pkg:conan/[email protected]?repository_url=https://center.conan.io"
      ]
    },
    {
      "ref": "pkg:conan/[email protected]?repository_url=https://center.conan.io",
      "dependsOn": []
    }
  ]
}

"name" and "version" attributes are set not correctly as node.ref is None is never true. I also think if the name is defined in the conanfile.py it is better to directly get this attribute from the conanfile instead from the folder name.

I tried to address this issue here: https://github.com/weichslgartner/cyclonedx-conan/blob/a119c52ba1c6887787b24853a6d2d646d0e78911/src/command.py#L141

It should still work with conanfile.txt as shown in this test: https://github.com/weichslgartner/cyclonedx-conan/blob/main/tests/test_command.py

I am happy to contribute a PR and open for feedback.

weichslgartner avatar Aug 28 '23 21:08 weichslgartner

@weichslgartner I agree with you that the check for the root component:

node.ref is None

is wrong in combination with a conanfile.py.

https://github.com/CycloneDX/cyclonedx-conan/pull/103 would be my proposal to fix it. It tries to stick with the original logic as much as possible, and it should then also produce correct "components" and "dependencies".

In addition, you also need to be careful as not all values (name, version, license, etc.) need to be specified in the conanfile.py

andreas-hilti avatar Sep 02 '23 11:09 andreas-hilti

@andreas-hilti I agree with you, additional fields from the conanfile.py should be also a separate PR. I will add additional checks (at the moment missing values are set to None, which would work for my use-case). Your PR is fine for solving this issue.

weichslgartner avatar Sep 05 '23 19:09 weichslgartner