guac
guac copied to clipboard
guacsec
Dependencies in CycloneDX SBOM format not parsed
While trying guac with a CycloneDX SBOM I found that no edges are being created. To make sure this is a reproducable case you could run the following commands to create the same SBOM:
git clone https://github.com/quarkusio/quarkus-quickstarts.git
cd quarkus-quickstarts
mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.1:makeBom
.../bin/guacone files --creds neo4j:s3cr3t target/bom.json
It seems no edges are identified in that BOM and therefore no dependency graph is built in neo4j, only single nodes are created. But as far as I understand the SBOM actually contains the dependency information which could be used to build the graph. In the SBOM it looks like this:
{
components: [...],
dependencies: [
{
ref: getting-started
dependsOn: [resteasy-reactive]
},
{
ref: resteasy-reactive
dependsOn: [resteasy-common, ...]
}
...
]
}
So based on above sample I do not think it would be required to use information of the language ecosystem or dep.dev. The details are in the SBOM but not being parsed.
Posted this initially in #200 but created a new issue as suggested by @lumjjb
running into errors trying to generate this @albert0815 , could you share the copy you have - while we try to fix the mvn errors
Cool, thank you. I was working on a system to manage CycloneDX BOMS and stumbled across the GUAC announcement. I thought it would be worth a try to replace my own storing routine with GUAC. I will take another look when this bug is solved.
Created another BOM for testing, for GUAC, using this command:
cyclonedx-gomod mod -json .>guac-bom.json
Maybe it helps :)
Hi @albert0815 does the PR fix this for you? if it does, we can close this :)
Related to the old CDX parser. Please re-open the issue if the bug reoccurs.
