502 Error generating SBOM

[socsieng]

Description

I'm receiving the following error instead of a successful response when executing the command (on a private repository): gh sbom -l | jq

2023/03/16 08:42:24 non-200 OK status code: 502 Bad Gateway body: "{\n   \"data\": null,\n   \"errors\":[\n      {\n         \"message\":\"Something went wrong while executing your query. This may be the result of a timeout, or it could be a GitHub bug. Please include `C29E:4109:32875:36411:64123BB5` when reporting this issue.\"\n      }\n   ]\n}\n"

Context

• macOS 13.2.1 (M1)
• gh --version: gh version 2.24.3 (2023-03-09)
• gh-sbom/manifest.yml version: v0.0.8

[socsieng]

Some more context:

I've been able to get it working successfully on an existing public repository, and a couple of other private repositories (they did appear to run slowly though). The repository that it was failing on was node codebase that made use of workspaces.

[steiza]

Sorry for the delay! As you discovered, this can take awhile to generate a SBOM for a large repository, or fail altogether for very large repositories.

The Dependency Graph team was kind enough to implement a server-side SBOM generator for SPDX, which is much, much faster. The gh-sbom v0.0.9 release makes use of this feature - give it a try and let us know if that works for you?

You'll need to update gh-sbom with:

$ gh ext remove advanced-security/gh-sbom
$ gh ext install advanced-security/gh-sbom

[pmckeownkiwibank]

This is still failing for a large repo I want to get a Cyclone DX formatted SBOM for. Is there any way to configure a longer timeout or more verbose output from the tool?

[socketbox]

Still an issue for v0.0.10. Disappointing, because GitHub generates SPDX v2.3, which is illegible/uninterpretable by CycloneDX. But when I use the -c flag to generate Cyclone output, that's when this problem arises.