cyclonedx-gomod icon indicating copy to clipboard operation
cyclonedx-gomod copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Using the gh-gomod-generate-sbom action, fails when execution the "Cheap trick" gocmd.ModWhy call

Open jeroendee opened this issue 2 years ago • 8 comments

Problem

Currently I'm trying to integratie the generation of a SBOM for one of our Go repos. The gh-gomod-generate-sbom action is used. This actually fails with the error:

{"level":"error","error":"failed to download modules: command `/usr/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go` failed: exit status 1","time":"2022-12-16T16:28:08Z"}

Looking at this line and the subsequent call to gocmd.ModWhy the error "failed to download modules: ..." doesn't actually indicate a failure of downloading modules, but more generally a failure when running the command (in this case `go mod why -m -vendor github.com/CycloneDX/cyclonedx-go).

This will call private repo's. So in that sense, it looks like this issue #206. But that one was closed without giving a hint what goes wrong.

On a local dev machine it works.

Question

Can somebody explain the above error when running cyclonedx-gomod through a GitHub Action?

Below the contents of the action:

jobs:
  generate-sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
       
      - name: Install cyclonedx-gomod
        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
          version: v1
      - name: Generate SBOM
        run: cyclonedx-gomod mod -verbose -json -output sbom.json ${{ github.workspace }}

jeroendee avatar Dec 19 '22 13:12 jeroendee

Prob. related with not being able to download the private repo... or something related.

jeroendee avatar Dec 19 '22 15:12 jeroendee

Hello team, any updates about this issue? I tried using the docker image, tag v1.4 and I have the same error as @jeroendee reported. If I use the client locally in the laptop works well...

bcordobaq avatar Aug 03 '23 02:08 bcordobaq

Is it possible to provide some kind of minimal reproducer for this? I have not been able to replicate this so far.

Generally, if a project depends on private modules, then the usual setup of GOPRIVATE etc. required for private modules is necessary to generate an SBOM for the project. If it works on your local machine, but doesn't in CI, then there's some sort of setup, config, or environment variable missing in CI, that exists on your local machine.

nscuro avatar Aug 03 '23 09:08 nscuro

From my side, I couldn't try it with Github actions, but I did it using docker. If I execute the client app locally:

go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest

# in the dir of my project:
cyclonedx-gomod mod -json -output bom.json .

The BOM file is generated correctly.

But then, running the docker container, using as volume the root of my project:

docker run -it \
    -v "$(pwd):/usr/src/test" \
    -v "$(pwd)/reports:/out" \
    cyclonedx/cyclonedx-gomod:v1.4 mod -json -output bom.json  /usr/src/test

I have this output:

{"level":"error","error":"failed to download modules: command `/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go` failed: exit status 1","time":"2023-08-03T11:38:44Z"}

I don't know the root cause, but with this, I'm not sure that's related to private repos, it seems an error executing the go mod why command.

bcordobaq avatar Aug 03 '23 11:08 bcordobaq

Thanks for the input @bcordobaq. I ran the go mod why command from within the container, and I got this error:

failed to initialize build cache at /.cache/go-build: mkdir /.cache: permission denied

Which lead me to this issue: https://github.com/golang/go/issues/26280#issuecomment-445294378

We use a non-root user in our Dockerfile:

https://github.com/CycloneDX/cyclonedx-gomod/blob/c44a3b127751cc2fd1b84c31fc3ae26226066a4a/Dockerfile.goreleaser#L3-L7

Adding this to the docker command works for me:

-e "GOCACHE=/tmp/gocache"

Can you verify that this resolves the issue? If so, I'll get this added to our Dockerfile and push a bugfix release out later today.

nscuro avatar Aug 03 '23 15:08 nscuro

I'll also see if I can improve the logging. Seems like currently we're swallowing the actual error message, which is not helpful.

nscuro avatar Aug 03 '23 15:08 nscuro

Actually it is logged in debug mode (with -verbose flag):

$ docker run -it --rm -v "$(pwd):/work" cyclonedx/cyclonedx-gomod:v1.4.0 mod -verbose /work
4:00PM DBG executing command cmd="/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go" dir=/work
4:00PM DBG failed to initialize build cache at /.cache/go-build: mkdir /.cache: permission denied
{"level":"error","error":"failed to download modules: command `/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go` failed: exit status 1","time":"2023-08-03T16:00:03Z"}

nscuro avatar Aug 03 '23 16:08 nscuro

Hi @nscuro , first, thank you for your quick response! Effectively, I added the env variable in the docker command, and it works well 🎉 , this was my probe:

docker run -it \
    -v "$(pwd):/usr/src/test" \    
    -v "$(pwd)/reports:/out" \
    -e "GOCACHE=/tmp/gocache" \
   cyclonedx/cyclonedx-gomod:v1.4 mod -json -output bom.json  /usr/src/test

Thank you!!! Anyways, I saw your MR, which is merged, and I've tried also the docker latest image, works well 😄

docker run -it \
    -v "$(pwd):/usr/src/test" \
    -v "$(pwd)/reports:/out" \
    cyclonedx/cyclonedx-gomod mod -json -output /out/bom.json  /usr/src/test

bcordobaq avatar Aug 05 '23 02:08 bcordobaq