spdx / cdx2spdx Goto Github PK

First, apologies if I'm missing the obvious. I think there may be some test resource files that did not get checked into the source repository. For example, when running the test: com.sourceauditor.spdxcyclone.CycloneToSpdxTest#testValidSbomV1dot4

I get:

com.sourceauditor.spdxcyclone.CycloneConversionException: File src/test/resources/specification/tools/src/test/resources/1.4/valid-bom-1.4.json does not exist.

	at com.sourceauditor.spdxcyclone.CycloneToSpdx.cycloneDxToSpdx(CycloneToSpdx.java:260)
	at com.sourceauditor.spdxcyclone.CycloneToSpdxTest.testValidSbomV1dot4(CycloneToSpdxTest.java:116)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38)
	at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35)
	at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:235)
	at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:54)

Similar issue for this test:

testAllSbomExamples(com.sourceauditor.spdxcyclone.CycloneToSpdxTest)  Time elapsed: 0.005 sec  <<< ERROR!
java.nio.file.NoSuchFileException: src/test/resources/bom-examples/SBOM
        at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
...

If a Cyclone DX license contains text and/or URL's and it doesn't match a listed license, an ExtractedLicenseInfo could be created

I get the following error message on a CycloneDx file (attached, has been renamed to .txt to make attachement possible):

docker run -v ./sboms:/cdx2spdx/sboms -it --rm cdx2spdx
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
Error converinging a CycloneDX component to element: Invalid download location sindresorhus/quick-lru. Must match the pattern ^(NONE|NOASSERTION|(((git|hg|svn|bzr)+)?(http://www.|https://www.|http://|https://|ssh://|git://|svn://|sftp://|ftp://)?[a-z0-9]+([-.]{1}[a-z0-9]+){0,100}.[a-z]{2,5}(:[0-9]{1,5})?(/.*)?)|(git+git@[a-zA-Z0-9.-]+:[a-zA-Z0-9/\.@-]+)|(bzr+lp:[a-zA-Z0-9.-]+))$

If I can do more to help sort this out, please let me know, I am unfortunately not a Java coder.
rocket-chat.json.txt

I am a bit unsure as it is not very well defined in the sources but it seems we are linking w. cyclonedx.core.java 7.3.2 which is from Feb 2023.

I guess this means that we are at CycloneDX 1.4 level?

I have the issue right now that my SBOMs contain an components.externalReferences[].type="distribution-intake".
Which I believe is new in 1.5.

That fails.
In a quite in-elegant way.

If not null, prefixing the SPDX name with the group will reduce possible fidelity loss.

To make it clearer what this tool does by looking at it, suggest renaming CDX2SPDX. SpdxCyclone could be interpreted as SPDX to CycloneDX. Cyclone doesn't mean much on it's own, and there seems to be a shift to using CDX to summarize the Cyclone Data eXchange format.

We are seeing that an NPM package like
"@angular/router" in the cyclonedx file is represented as

"group": "@angular"
"name": "router"

When the converter constructs the SPDX "name" value it does

                if (Objects.nonNull(group) && !group.isBlank()) {
                        name = group + ":" + name;

yielding an SPDX name of "name": "@angular:router"

For java this works fine as the delimiter between group and name in java is ":"
But for NPM it is a "/" which is implicit in the cyclonedx.

Would it make sense to check the purl to find the package manager or what would be a good strategy?

It is currently appended to the attribution text

I added the code needed to import cpe data from CycloneDX file.

I also (to get it working with my files) changed a fatal exception on an invalid downloadLocation URL to just being a warning (and ignoring the data).

I have the code in my local system.
Changes are minimal and isolated to CycloneSpdxConverter.java.

I am not a Github expert so putting things into a fork is somewhat beyond me.

CycloneSpdxConverter.java.tar.gz

• mapping component type to package purpose
• additional checksum algorithms to map
• additional security external refs (advisory, fix, URL)
• release date
• built date
• valid until date

Hi there, thanks for creating this useful tool. It wasn't clear to me when installing what JDK version this is intended to run on. Is it accurate to document this as 11+? 8 did not work for me.

When my cdx file has a top level license of anything but CC0-1.0 I get this error:

Eror copying metadata: Incorrect data license. Must be CC0-1.0

Not sure what is the purpose.
But if only a single value is allowed why not simply set that value instead of failing the conversion in case the source file has something else.

I am using sbomasm to generate boms and it hardcoded sets CC-BY-1.0

Someone must be doing something wrong here.

I went through the documented setup, and running ./mvnw clean package succeeds. When trying to run the spdxcyclone I am getting issues.

I am running this on a windows vm with jdk 11.0.15, and I'm running spdxcyclone-0.0.1-SNAPSHOT-jar-with-dependencies.jar because all others exit with no main manifest attribute. I run this jar file identically to the usage command java -jar spdxcyclone-0.0.1-SNAPSHOT-jar-with-dependencies.jar ./cyclonedx.json ./spdx.json and get the following error.

Thank you for any help you can provide!

11:52:33.229 [main] ERROR org.spdx.jacksonstore.JacksonSerializer - Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar.  Must be an SPDX Identifier or Anonymous
Exception in thread "main" java.lang.RuntimeException: org.spdx.library.InvalidSPDXAnalysisException: Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar.  Must be an SPDX Identifier or Anonymous
        at org.spdx.jacksonstore.JacksonSerializer.lambda$1(JacksonSerializer.java:245)
        at java.base/java.util.stream.ReduceOps$4ReducingSink.accept(ReduceOps.java:220)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:589)
        at org.spdx.jacksonstore.JacksonSerializer.getDocElements(JacksonSerializer.java:240)
        at org.spdx.jacksonstore.JacksonSerializer.docToJsonNode(JacksonSerializer.java:117)
        at org.spdx.jacksonstore.MultiFormatStore.serialize(MultiFormatStore.java:166)
        at com.sourceauditor.spdxcyclone.CycloneToSpdx.cycloneDxToSpdx(CycloneToSpdx.java:278)
        at com.sourceauditor.spdxcyclone.CycloneToSpdx.main(CycloneToSpdx.java:218)
Caused by: org.spdx.library.InvalidSPDXAnalysisException: Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar.  Must be an SPDX Identifier or Anonymous
        at org.spdx.jacksonstore.JacksonSerializer.typedValueToObjectNode(JacksonSerializer.java:178)
        at org.spdx.jacksonstore.JacksonSerializer.lambda$1(JacksonSerializer.java:243)
        ... 12 more

When fetching the times from CycloneDX they are being represented as local times and being written back to the SPDX document as GMT times.

This is causing unit test failures if we try to compare the expected created times to what we find in the test files.

This is really not an issue specific to this tool but in case the tool was to implement a way of doing this it would be a great contribution to the versatility of both CDX and SPDX files.

We have the challenge that the SBOMs do not have a good/agreed way of defining

• What is an internal component in a product
• What is a direct dependency to an OSS component
• What is a transitive dependency to an OSS component

I am aware that the distinction is an "overlay" to the concept of an SBOM but never the less it is a very relevant distinction.

It is very possible that some existing fields can be used for this but it currently seems not.

Currently a convention has been set up in at least one of our systems to use the SPDX .comment field to indicate which product component (which part of the overall product scope) this SPDX defines.
However my argument against this is that it leaves you with only a single component per SBOM.
This is then solved by allowing a product to be defined by a zipped set of SPDX files.
Something which I believe is non standard?

Does anyone have a good idea how this can be solved?

I have tried defining the SBOMs as hierarchical merges of the component SBOMs.
However our systems tend to assume that the top level in the dependency tree represents the direct dependencies and any lower layers are transitive. Adding a hierarchy of product components messes up this assumption and everything OSS becomes transitive.

We need some flag/convention that explicitly identifies modules as being one or the other.

• Review all PR's and Issues
• Pass unit tests
• Run mvn org.owasp:dependency-check-maven:check
• Update version
• Run mvn deploy
• Release to Maven on Sonatype
• Create Github release
• Bump version to snaphsot