How to create a sbom for a golang project.

[MohammedAziz02]

@prabhu, I tried to create a sbom for a golang project using : cdxgen -t golang -o sbom.json --spec-version 1.4, but the sbom result have an empty list dependencies. how to fix this issue?
the file go.sum exists.

[prabhu]

@MohammedAziz02 questions could be discussions or slack/discord messages. I would always suggest running cdxgen with CDXGEN_DEBUG_MODE=debug environment variable. Depending on the project, the correct build tools have to be installed. You can verify that the environment is working well by attempting to build the projects.

The cdxgen container image which bundles many build tools and libraries can be a bit simpler, but may not work for all cases.

[MohammedAziz02]

I have all the tools installed also the environment is working well, i tried to build the project, it's works fine, also there is no error message when activate the debug mode. is there any other options ? thank you in advance.

[prabhu]

Can you share the output? Do you see the commands go mod graph and go list -deps being executed? Is this on Windows or Linux?

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L3026
https://github.com/CycloneDX/cdxgen/blob/master/index.js#L2982

[MohammedAziz02]

artifactSBOM.json
I'm using MacOS, and also the commands go mod graph and go list -deps are executed correctly without errors.

[prabhu]

Can you reproduce the issue with any public repo?