Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTML report generation fails silently when processing entire folder containing an "empty" SBOM #208

Open
henning-meinhardt opened this issue Mar 13, 2024 · 2 comments
Open

HTML report generation fails silently when processing entire folder containing an "empty" SBOM #208

henning-meinhardt opened this issue Mar 13, 2024 · 2 comments
Assignees
@djschleen
Labels
bug Something isn't working

Comments

@henning-meinhardt
Copy link

henning-meinhardt commented Mar 13, 2024
edited

Generation of HTML report for an entire directory fails silently when the directory contains an "empty" SBOM. I'm using latest version 0.4.8 and the following invocation:
bomber scan --debug --output html ./temp

In temp folder I have multiple SBOMs (all json format, generated using the "CycloneDX Gradle plugin" in a multi-project gradle setup). Some of the SBOMs are from gradle projects that don't add any extra dependency, so the resulting SBOMs are "empty". As soon as Bomber encounters one of these empty SBOMs it stops processing without giving a meaningful error message. Also --debug output doesn't expose any useful information. When I remove all the "empty" SBOMs, Bomber works correctly.

An example of an "empty" SBOM :

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.5",
  "serialNumber" : "urn:uuid:339661e5-161c-4261-ae90-39e54cb9cd95",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2024-03-12T21:07:08Z",
    "tools" : [
      {
        "vendor" : "CycloneDX",
        "name" : "cyclonedx-gradle-plugin",
        "version" : "1.8.2"
      }
    ],
    "component" : {
      "group" : "xxxxxxx.xxx",
      "name" : "mailReceiver",
      "version" : "LOCAL-BUILD-SNAPSHOT",
      "purl" : "pkg:maven/xxxxxxx.xxx/mailReceiver@LOCAL-BUILD-SNAPSHOT?type=jar",
      "type" : "library",
      "bom-ref" : "pkg:maven/xxxxxxx.xxx/mailReceiver@LOCAL-BUILD-SNAPSHOT?type=jar"
    }
  },
  "dependencies" : [
    {
      "ref" : "pkg:maven/xxxxxxx.xxx/mailReceiver@LOCAL-BUILD-SNAPSHOT?type=jar",
      "dependsOn" : [ ]
    }
  ]
}
@henning-meinhardt
Copy link
Author

The other "non-empty" SBOMs all have a "components" section together with the "dependencies" section. The empty one have only a "dependencies" section.

@djschleen
Copy link
Member

Hey @henning-meinhardt, I appreciate the detail there. I'll take a look at it. I have been doing some work on the HTML reports with @mirxcle to add some AI generated vulnerability info so we may have a regression issue.

@djschleen djschleen self-assigned this Mar 21, 2024
@djschleen djschleen added the bug Something isn't working label Mar 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@djschleen djschleen

Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
2 participants
@henning-meinhardt @djschleen