Bomber is not finding packages in a SBOM file that has been converted using the CycloneDX Convert function #171
Assignees
Comments
|
Appreciate you attaching the files! We'll take a look. |
|
@mirxcle have you taken a look yet? |
|
Just touching this issue again. @mirxcle note that this is an SPDX file. I'd bet the schema isn't compatible with Bomber so we'll have to see if there's a half decent SPDX go module we can use rather than have to roll our own. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The problem I am having is that bomber does NOT find any packages in a SBOM that has been converted by the cyclonedx-node covert process. The SBOM is generated from a javascript application.
To recreate for testing:
Create a CycloneDX SBOM in JSON format:
cyclonedx-node --output bomber-test.jsonIf we scan that SBOM with Bomber, it works:
Now convert that CycloneDX SBOM to SPDX using the cyclonedx convert function:
cat ./bomber-test.json | cyclonedx convert --input-format json --output-format spdxjson > ./converted-to-spdx.jsonNow that you have a freshly converted SPDX format SBOM, run Bomber against it:
bomber scan ./converted-to-spdx.jsonUnfortunately, Bomber doesn't find any packages even thought there are many components listed in the converted SBOM:
I'm attaching all files here so you can inspect them.
bomber-files.zip
The text was updated successfully, but these errors were encountered: