cyclonedx-dotnet icon indicating copy to clipboard operation
cyclonedx-dotnet copied to clipboard
verified publisher icon CycloneDX

CycloneDX.NET finishes successfully when package restore fails

Open andreycha opened this issue 1 year ago • 5 comments

Hi,

I'm using version 3.0.5 and recently noticed that in case solution package restore fails CycloneDX.NET does not generate BOM file and finishes successfully. This makes our BOM builds to continue and fail at a later point because BOM file is not found.

Wouldn't it be better that CycloneDX.NET exits with a code that indicates failure?

Here is an example of shortened build output with key points in bold:

15:03:48  Dotnet restore failed: 15:03:48  Determining projects to restore... 15:03:48  D:\BuildAgent\work\8459948641e4ad25\Services\ServiceName\src\Models\Models.csproj : error NU1903: Warning As Error: Package 'Newtonsoft.Json' 12.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr [D:\BuildAgent\work\8459948641e4ad25\Services\ServiceName\src\WorkerHost\WorkerHost.csproj] 15:03:48  Failed to restore D:\BuildAgent\work\8459948641e4ad25\Services\ServiceName\src\Models\Models.csproj (in 18 ms). 15:03:48 
15:03:48  CycloneDX has finished 15:03:48 
15:03:48  Process exited with code 0

15:03:48 Step 2/2: Upload BOM to DependencyTrack 15:03:48  Step 1/1: Upload BOM to DependencyTrack (PowerShell) 15:03:48  PowerShell running in non-virtual agent context 15:03:48  PowerShell Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 15:03:48  Working directory: D:\BuildAgent\work\8459948641e4ad25 15:03:48  Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 15:03:48  PowerShell arguments: -NoProfile, -NonInteractive, -ExecutionPolicy, ByPass, -File, D:\BuildAgent\temp\buildTmp\powershell12874135734340666064.ps1, "D:\BuildAgent\work\8459948641e4ad25", "dist/BOM/bom.json", "*******", "https://dependencytrack_url/api", "ServiceName", "1.2.3.4" 15:03:48  Get-ChildItem : Cannot find path 'D:\BuildAgent\work\8459948641e4ad25\dist\BOM\bom.json' because it does not exist.

andreycha avatar Jun 26 '24 13:06 andreycha

Wouldn't it be better that CycloneDX.NET exits with a code that indicates failure?

That is the intended behavior. Can you tell me what arguments you call cyclonedx with?

mtsfoni avatar Jun 26 '24 15:06 mtsfoni

Yes, sorry, forgot to add it:

dotnet cyclonedx "D:\BuildAgent\work\8459948641e4ad25\Services\ServiceName\ServiceName.sln" -o dist\BOM
 -f bom.json -j -sn "ServiceName" -sv 1.2.3.4 --github-username *** --github-token ***

andreycha avatar Jun 27 '24 07:06 andreycha

First of all, as you set github-username and token you probably want to use --enable-github-licenses.

Since 3.0.0 it's disabled by default.

mtsfoni avatar Jun 29 '24 18:06 mtsfoni

I cannot reproduce the error. Here is my try:

PS E:\src\repos\cyclonedx-dotnet> $LastExitCode
0
PS E:\src\repos\cyclonedx-dotnet> dotnet cyclonedx ..\cdx-enrich\src\CdxEnrich.sln -j -sn "name" -sv 1.0.0

Found the following local nuget package cache locations:
    C:\Users\user\.nuget\packages\
Scanning at E:\src\repos\cdx-enrich\src\CdxEnrich.sln

» Solution: E:\src\repos\cdx-enrich\src\CdxEnrich.sln
  Getting projects

» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich\CdxEnrich.csproj
  Getting project references
  No project references found

» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich.Tests\CdxEnrich.Tests.csproj
  Getting project references

» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich\CdxEnrich.csproj
  Getting project references
  No project references found
  2 project(s) found


» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich\CdxEnrich.csproj
  Attempting to restore packages
  Packages restored


» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich.Tests\CdxEnrich.Tests.csproj
  Attempting to restore packages
Dotnet restore failed:
  Determining projects to restore...
E:\src\repos\cdx-enrich\src\CdxEnrich.Tests\CdxEnrich.Tests.csproj : error NU1101: Unable to find package Verify. No packages exist with this id in source(s): C:\Program Files\dotnet\library-packs, Package source
  Failed to restore E:\src\repos\cdx-enrich\src\CdxEnrich.Tests\CdxEnrich.Tests.csproj (in 217 ms).
  1 of 2 projects are up-to-date for restore.

PS E:\src\repos\cyclonedx-dotnet> $LastExitCode
5

Also, I cannot see any way in the flow of the program that it could leave the program without writing the output file, but still returning 0.

See here: https://github.com/CycloneDX/cyclonedx-dotnet/blob/master/CycloneDX/Runner.cs#L423-L426

Can you reproduce the problem outside your pipeline?

mtsfoni avatar Jun 29 '24 18:06 mtsfoni

This issue is stale because it has been open for 3 months with no activity.

github-actions[bot] avatar Sep 29 '24 01:09 github-actions[bot]