cyclonedx-python icon indicating copy to clipboard operation
cyclonedx-python copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

CycloneDX gives odd versions and PURLs

Open redaabdellah21 opened this issue 2 years ago • 2 comments

i installed cycloneDX for my python project, and ran these two commandes to generate the bom: pip freeze > requirements.txt cyclonedx-bom -r -i "MYPATH" --format json

it is giving me odd versions and PURLs (see example); and there is no dependency graph.

        {
            "type": "library",
            "bom-ref": "8ed7e17e-2d50-4cd8-badf-6935bc583cf3",
            "name": "PyYAML",
            "version": "6.0\u0a0d\u0d00",
            "purl": "pkg:pypi/[email protected]%E0%A8%8D%E0%B4%80"
        }

image image

DT fails to compare with the latest version too, even though the component is in the latest version.

when i tried this command: cyclonedx-bom -e --format json

it works better, but still no dependency Graph.

redaabdellah21 avatar Aug 02 '22 14:08 redaabdellah21

Hi @redaabdellah21 - thanks for getting involved and reporting this behaviour.

We have an open issue that is also similar to the lack of dependency tree generated by SBOMs in the manner you describe - (https://github.com/CycloneDX/cyclonedx-python/issues/391) as the metadata to understand how dependencies are actually being resolved is not something that is available directly in the metadata guaranteed to be available to this tool.

With regards to the version number challenge you raise, this is very strange, and not something anyone has reported thus far.

To help us triage this further can you please share:

  • Operating System you are running on (including version)
  • Python Version
  • Version of cyclonedx-python installed
  • The requirements.txt you are referencing

Thanks!

madpah avatar Aug 02 '22 15:08 madpah

Hi @madpah thank you for your answer, here is the info you asked for: OS: windows 10 20H2 python version : 3.10.4 CycloneDX version: cyclonedx-bom 3.5.0 cyclonedx-pyhton-lib 2.7.1 requirements.txt: requirements.txt

when i worked with the installed packages in the environment, it worked fine, but gave more components than those present in the requirements.txt. that is not the best thing to do, a user can be looking at a vulnerability that does not affect his project.

Thanks again!

redaabdellah21 avatar Aug 03 '22 09:08 redaabdellah21

fixed by #605

jkowalleck avatar Dec 25 '23 15:12 jkowalleck

This feature will be part of the next/upcoming major release. Changelog: see https://github.com/CycloneDX/cyclonedx-python/pull/605 Install via: pip install cyclonedx-bom==4.0.0rc1

jkowalleck avatar Dec 25 '23 18:12 jkowalleck