CDXGEN SBOM not identifying the executables that are present in nested directories

[spnzig]

I am running cdxgen command to generate an SBOM for my project from the root directory. Two level deeper from the root, I have a binary directory with .so and .dll files. These files should ideally be analysed by cdxgen using binary-analysis-technique and must be reported in bom.json. However, the bom.json has components that are only identified by manifest-analysis or source-code-analysis.

If I run cdxgen command from the /bin directory, then the SBOM will have components from the .so and .dll files.

How can I generate an exhaustive sbom from the root directory (containing source files, manifest and binary file types)

[prabhu]

@spnzig I will have a think about this. Currently, we rely on blint to parse .so files and dosai for .dll files. Perhaps, -t binary could be enhanced to utilize both.

[prabhu]

It has to be an opt-in. So it will be -t universal -t binary.

[spnzig]

@prabhu I guess I am calling it wrong?

[prabhu]

Could you use the latest version?

[spnzig]

@prabhu did that and upgraded it to 10.10.1 and ran cdxgen -t universal -t binary . However, the SBOM still doesn't have .so and other components from binary-analysis. A grep for 'binary-analysis' in the SBOM generated had no output. Does this work recursively? or is there another option for that?

[prabhu]

Can you run it with CDXGEN_DEBUG_MODE=debug environment variable and see if blint is getting invoked. You can feel free to run blint sbom command manually and merge the resulting SBOMs.