Problems with purl in multi language project.

[apollo13]

Hi there, I am trying to use cdxgen in a Python project which also uses some Javascript. While trying to generate a useable BOM I am running into a few issues. I am running the CLI via:

podman run -e CDXGEN_DEBUG_MODE=debug --rm -it -v `pwd`:/app:z ghcr.io/cyclonedx/cdxgen /app --no-babel -o /app/bom.json --project-name oversight --project-version latest

The issues I have are as follows:

• The purl of the project itself ends up being: pkg:npm/oversight@latest -- can I somehow get rid of npm there? This is not a project that will ever be pushed to NPM and it first and foremost is a Python project.

• The NPM purl obviously has no dependencies on the python components (which are properly found though):

Scanning /app
Parsing /app/package-lock.json
Found 1 npm packages at /app
Found 3 python packages at /app
Found 0 rust packages at /app
Found 0 ruby packages at /app
Found 0 cpp packages at /app
Obtained 4 components and 6 dependencies after dedupe.
===== WARNINGS =====
[ 'Invalid ref in dependencies pkg:pypi/oversight@latest' ]

• If I run with -t python it is somewhat better:

    "component": {
      "group": "",
      "name": "oversight",
      "version": "latest",
      "type": "application",
      "bom-ref": "pkg:application/oversight@latest",
      "purl": "pkg:application/oversight@latest"
    },

but it still complains: [ 'Invalid ref in dependencies pkg:pypi/oversight@latest' ] since pkg:application/oversight@latest has no dependency on pkg:pypi/oversight@latest.

Note that this is correct if I drop --project-name and --project-version because it then generates pkg:pypi/oversight@latest for the project itself and the dependencies are filled properly.

So I guess my main questions are:

• How can I get more control over the project purl?
• How can I properly attach all python and npm dependencies?

Please see the attached files for a demo project.
bom.json
project.zip

[apollo13]

Okay, I see that @prabhu added multiple types support in #1202 for 10.8.0 which is basically new, so it seems I might be running into some bugs here. Nevertheless if someone has some ideas what I might be doing wrong, please let me know.

[apollo13]

Okay, I figured out what is happening. If I specify --project-name and --project-version then addMetadata will filter out the components since they match the "parent" namewise. Essentially

/opt/cdxgen/bin/cdxgen.js --no-babel -t js -t python --project-name oversight --project-version 123

enters dedupeBom with a parentComponent of:

{
  group: '',
  name: 'oversight',
  version: '123',
  type: 'application',
  'bom-ref': 'pkg:application/oversight@123',
  purl: 'pkg:application/oversight@123',
  components: [
    {
      author: undefined,
      group: '',
      name: 'oversight',
      version: '123',
      type: 'application',
      purl: 'pkg:npm/oversight@123',
      'bom-ref': 'pkg:npm/oversight@123'
    },
    {
      name: 'oversight',
      description: 'Default template for PDM package',
      version: '123',
      type: 'application',
      'bom-ref': 'pkg:pypi/oversight@123',
      purl: 'pkg:pypi/oversight@123'
    }
  ]
}

This is pretty close to what I actually want!

But now the subcomponents are getting thrown out in addMetadata:

cdxgen/index.js

Lines 557 to 565 in 5f05154

	// Fixes #479
	// Prevent the parent component from also appearing as a sub-component
	// We cannot use purl or bom-ref here since they would not match
	// purl - could have application on one side and a different type
	// bom-ref could have qualifiers on one side
	// Ignore components that have the same name as the parent component but with latest as the version.
	// These are default components created based on directory names
	if (
	fullName !== parentFullName &&

I have no idea what the proper fix is here :/

[apollo13]

While looking through it I also noted that for js projects the name gets overriden even though one is defined in package.json. This for instance does not happen for python packages (and probably shouldn't get done especially not in the multi bom case).

[prabhu]

Have you attached a project to replicate this? Or if you could collect all such bugs, we can perhaps meet in September (Aug is holiday time) and figure out an approach.

[apollo13]

Hi @prabhu, I have uploaded a minimal POC to Github: https://github.com/apollo13/cdxgen-issues

This repo includes all the files for the issues I have mentioned. I have collected the individual bugs into separate issues on said repository: https://github.com/apollo13/cdxgen-issues/issues (the resulting boms are in the repo as well and the issue descriptions include the executed cdxgen cli).

I hope this helps, if you want we can setup a call in September.

[apollo13]

@prabhu Did you get any chance to look at the repo and it's issues that I posted in the previous comment? Anything I can do to help there?

[apollo13]

One possible workaround as of now is running cdxgen twice (once with -t py and once with -t js) and then merge via:

cyclonedx merge   --input-files python.json javascript.json --output-file test.json --hierarchical --name yolo --version 123

[apollo13]

It is still the zip file from the initial post (plus an basically empty package.json with a name set). I'll put it into a repo in Monday with sample outputs and where I think there would be areas for improvement. I'd love to discuss this in September if you want to. Otherwise async like we currently do is fine as well. Not sure if all those are bugs though.

…

On Sat, Jul 27, 2024, at 12:08, prabhu wrote: Have you attached a project to replicate this? Or if you could collect all such bugs, we can perhaps meet in September (Aug is holiday time) and figure out an approach. — Reply to this email directly, view it on GitHub <#1272 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAT5C6Q2AFAC7H3TJWJCXTZONWQ7AVCNFSM6AAAAABLOUYUGWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMJWGY3DQMQ>. You are receiving this because you authored the thread.Message ID: ***@***.***>