Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hierarchical merge does not work #303

Open
jimklimov opened this issue Jan 25, 2023 · 3 comments
Open

Hierarchical merge does not work #303

jimklimov opened this issue Jan 25, 2023 · 3 comments

Comments

@jimklimov
Copy link
Contributor

jimklimov commented Jan 25, 2023
edited
Loading

I have approximately a hundred SBOM files generated by cyclonedx maven plugin from particular versions of sources (a dozen top-level delivered services and their dependencies, ours and eventually third-party), and want to merge them into one "SBOM of a release" so we know if a particular release bundle was impacted by some vulnerabilities.

This fails however, and I have hard time guessing what to debug or fix looking at such a report (same for JSON and XML inputs):

:; ../../cyclonedx-win-x64-v0.24.2.exe merge \
      --output-file "../SBOM-java.json" \
      --group "com.project" \
      --name "Project-Release-Patch" \
      --version "cloud2022.11.0" \
      --input-files CycloneDX-Sbom-*.json \
      --hierarchical
...
Processing input file CycloneDX-Sbom-tpb-parent-2.5.0.json
    Contains 176 components
Unhandled exception: System.ArgumentNullException: Value cannot be null. (Parameter 'collection')
   at System.Collections.Generic.List`1.InsertRange(Int32 , IEnumerable`1 )
   at CycloneDX.Utils.CycloneDXUtils.HierarchicalMerge(IEnumerable`1 boms, Component bomSubject)
   at CycloneDX.Cli.Commands.MergeCommand.Merge(MergeCommandOptions options)
   at System.CommandLine.Invocation.CommandHandler.GetExitCodeAsync(Object value, InvocationContext context)
   at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
   at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass23_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass27_0.<<UseVersionOption>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass25_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__24_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass11_0.<<UseDebugDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__10_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass14_0.<<UseExceptionHandler>b__0>d.MoveNext()

...I can only guess that one of the "original SBOMs" may lack or seem to duplicate some information which confuses an enumerator here, but nave no idea what needle to trawl for in 50Mb of text across hundreds of files.

Without the --hierarchical flag it succeeds with

...
Processing input file CycloneDX-Sbom-tpb-parent-2.5.0.json
    Contains 176 components
Writing output file...
    Total 7991 components

...but the flat structure loses the dependency info and lacks usable points in metadata/component info, in particular (#179 (comment))
@andreas-hilti
Copy link
Contributor

@jimklimov Did you eventually figure out the issue?
Could it be that one of your SBOMs doesn't have any components?
I see that here
https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/b5fbaf66e4fcae632950744f66b7f37e41e2dcb3/src/CycloneDX.Utils/Merge.cs#L163
a check was missing in version 5.2.3 (which is the version used by the cli version 0.24.2) and was added at a later version.

If not, you could try the following instead of merging all hundred SBOMs at once:
Try merging only the first two SBOMs. If this is successful try merging the first three SBOMs, etc.
This could at least help to identify which SBOM is problematic and maybe give some hints on which part of it is problematic.

@andreas-hilti
Copy link
Contributor

Compare also CycloneDX/cyclonedx-dotnet-library#160.

@jimklimov
Copy link
Contributor Author

Thank you, good ideas to try when I get to my next-release rituals :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jimklimov @andreas-hilti