spdx / cdx2spdx Goto Github PK
View Code? Open in Web Editor NEWUtility that converts SBOM documents from CycloneDX to SPDX
License: Apache License 2.0
Utility that converts SBOM documents from CycloneDX to SPDX
License: Apache License 2.0
I added the code needed to import cpe data from CycloneDX file.
I also (to get it working with my files) changed a fatal exception on an invalid downloadLocation URL to just being a warning (and ignoring the data).
I have the code in my local system.
Changes are minimal and isolated to CycloneSpdxConverter.java.
I am not a Github expert so putting things into a fork is somewhat beyond me.
When my cdx file has a top level license of anything but CC0-1.0
I get this error:
Eror copying metadata: Incorrect data license. Must be CC0-1.0
Not sure what is the purpose.
But if only a single value is allowed why not simply set that value instead of failing the conversion in case the source file has something else.
I am using sbomasm to generate boms and it hardcoded sets CC-BY-1.0
Someone must be doing something wrong here.
First, apologies if I'm missing the obvious. I think there may be some test resource files that did not get checked into the source repository. For example, when running the test: com.sourceauditor.spdxcyclone.CycloneToSpdxTest#testValidSbomV1dot4
I get:
com.sourceauditor.spdxcyclone.CycloneConversionException: File src/test/resources/specification/tools/src/test/resources/1.4/valid-bom-1.4.json does not exist.
at com.sourceauditor.spdxcyclone.CycloneToSpdx.cycloneDxToSpdx(CycloneToSpdx.java:260)
at com.sourceauditor.spdxcyclone.CycloneToSpdxTest.testValidSbomV1dot4(CycloneToSpdxTest.java:116)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38)
at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11)
at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35)
at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:235)
at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:54)
Similar issue for this test:
testAllSbomExamples(com.sourceauditor.spdxcyclone.CycloneToSpdxTest) Time elapsed: 0.005 sec <<< ERROR!
java.nio.file.NoSuchFileException: src/test/resources/bom-examples/SBOM
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
...
It is currently appended to the attribution text
To make it clearer what this tool does by looking at it, suggest renaming CDX2SPDX. SpdxCyclone could be interpreted as SPDX to CycloneDX. Cyclone doesn't mean much on it's own, and there seems to be a shift to using CDX to summarize the Cyclone Data eXchange format.
If a Cyclone DX license contains text and/or URL's and it doesn't match a listed license, an ExtractedLicenseInfo could be created
mvn org.owasp:dependency-check-maven:check
mvn deploy
I am a bit unsure as it is not very well defined in the sources but it seems we are linking w. cyclonedx.core.java 7.3.2 which is from Feb 2023.
I guess this means that we are at CycloneDX 1.4 level?
I have the issue right now that my SBOMs contain an components.externalReferences[].type="distribution-intake".
Which I believe is new in 1.5.
That fails.
In a quite in-elegant way.
We are seeing that an NPM package like
"@angular/router"
in the cyclonedx file is represented as
"group": "@angular"
"name": "router"
When the converter constructs the SPDX "name" value it does
if (Objects.nonNull(group) && !group.isBlank()) {
name = group + ":" + name;
yielding an SPDX name of "name": "@angular:router"
For java this works fine as the delimiter between group and name in java is ":"
But for NPM it is a "/" which is implicit in the cyclonedx.
Would it make sense to check the purl to find the package manager or what would be a good strategy?
I went through the documented setup, and running ./mvnw clean package succeeds. When trying to run the spdxcyclone I am getting issues.
I am running this on a windows vm with jdk 11.0.15, and I'm running spdxcyclone-0.0.1-SNAPSHOT-jar-with-dependencies.jar
because all others exit with no main manifest attribute
. I run this jar file identically to the usage command java -jar spdxcyclone-0.0.1-SNAPSHOT-jar-with-dependencies.jar ./cyclonedx.json ./spdx.json
and get the following error.
Thank you for any help you can provide!
11:52:33.229 [main] ERROR org.spdx.jacksonstore.JacksonSerializer - Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar. Must be an SPDX Identifier or Anonymous
Exception in thread "main" java.lang.RuntimeException: org.spdx.library.InvalidSPDXAnalysisException: Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar. Must be an SPDX Identifier or Anonymous
at org.spdx.jacksonstore.JacksonSerializer.lambda$1(JacksonSerializer.java:245)
at java.base/java.util.stream.ReduceOps$4ReducingSink.accept(ReduceOps.java:220)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:589)
at org.spdx.jacksonstore.JacksonSerializer.getDocElements(JacksonSerializer.java:240)
at org.spdx.jacksonstore.JacksonSerializer.docToJsonNode(JacksonSerializer.java:117)
at org.spdx.jacksonstore.MultiFormatStore.serialize(MultiFormatStore.java:166)
at com.sourceauditor.spdxcyclone.CycloneToSpdx.cycloneDxToSpdx(CycloneToSpdx.java:278)
at com.sourceauditor.spdxcyclone.CycloneToSpdx.main(CycloneToSpdx.java:218)
Caused by: org.spdx.library.InvalidSPDXAnalysisException: Invalid ID SPDXRef-pkg-maven-com.google.errorprone-error_prone_annotations-2.2.0-type-jar. Must be an SPDX Identifier or Anonymous
at org.spdx.jacksonstore.JacksonSerializer.typedValueToObjectNode(JacksonSerializer.java:178)
at org.spdx.jacksonstore.JacksonSerializer.lambda$1(JacksonSerializer.java:243)
... 12 more
If not null, prefixing the SPDX name with the group will reduce possible fidelity loss.
When fetching the times from CycloneDX they are being represented as local times and being written back to the SPDX document as GMT times.
This is causing unit test failures if we try to compare the expected created times to what we find in the test files.
I get the following error message on a CycloneDx file (attached, has been renamed to .txt to make attachement possible):
docker run -v ./sboms:/cdx2spdx/sboms -it --rm cdx2spdx
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
Error converinging a CycloneDX component to element: Invalid download location sindresorhus/quick-lru. Must match the pattern ^(NONE|NOASSERTION|(((git|hg|svn|bzr)+)?(http://www.|https://www.|http://|https://|ssh://|git://|svn://|sftp://|ftp://)?[a-z0-9]+([-.]{1}[a-z0-9]+){0,100}.[a-z]{2,5}(:[0-9]{1,5})?(/.*)?)|(git+git@[a-zA-Z0-9.-]+:[a-zA-Z0-9/\.@-]+)|(bzr+lp:[a-zA-Z0-9.-]+))$
If I can do more to help sort this out, please let me know, I am unfortunately not a Java coder.
rocket-chat.json.txt
This is really not an issue specific to this tool but in case the tool was to implement a way of doing this it would be a great contribution to the versatility of both CDX and SPDX files.
We have the challenge that the SBOMs do not have a good/agreed way of defining
I am aware that the distinction is an "overlay" to the concept of an SBOM but never the less it is a very relevant distinction.
It is very possible that some existing fields can be used for this but it currently seems not.
Currently a convention has been set up in at least one of our systems to use the SPDX .comment field to indicate which product component (which part of the overall product scope) this SPDX defines.
However my argument against this is that it leaves you with only a single component per SBOM.
This is then solved by allowing a product to be defined by a zipped set of SPDX files.
Something which I believe is non standard?
Does anyone have a good idea how this can be solved?
I have tried defining the SBOMs as hierarchical merges of the component SBOMs.
However our systems tend to assume that the top level in the dependency tree represents the direct dependencies and any lower layers are transitive. Adding a hierarchy of product components messes up this assumption and everything OSS becomes transitive.
We need some flag/convention that explicitly identifies modules as being one or the other.
Hi there, thanks for creating this useful tool. It wasn't clear to me when installing what JDK version this is intended to run on. Is it accurate to document this as 11+? 8 did not work for me.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.