Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

converting issues #381

Open
AJquetta opened this issue Jul 19, 2024 · 10 comments
Open

converting issues #381

AJquetta opened this issue Jul 19, 2024 · 10 comments

Comments

@AJquetta
Copy link

Hello, I am trying to convert a csv formt sbom in to cyclonedx format with version 1.4

I am using following command : cyclonedx convert --input-file 'Sda.txt' --input-format csv --output-file wwse.json --output-format json --output-version v1_5

but when it generates wwse.json file its empty, can anyone explain why, I also did like this:

cyclonedx convert --input-file 'Sda.csv' --input-format csv --output-file wwse.json --output-format json --output-version v1_5

using sda.csv

but still same issue.
@andreas-hilti
Copy link
Contributor

@AJquetta Can you please attach your csv file (or a sample) such that we can reproduce your issue?

@AJquetta
Copy link
Author

PU LABEL,COMPONENT LABEL,COMPONENT TYPE,COMPONENT VENDOR,COMPONENT NAME,COMPONENT VERSION,COMPONENT STATUS
PU01,C001,LIB,esp-idf_project,esp-idf,v4.3.0,ACTIVE,
PU01,C002,LIB,mbedtls_project,mbedtls,v4.3.0,ACTIVE,
PU01,C003,LIB,lwip_project,lwip,v4.3.0,ACTIVE,
PU01,C004,OS,freertos_kernel_project,freertos_kernel,v4.3.0,ACTIVE,
PU01,C005,LIB,DaveGamble,cjson,1.7.15,ACTIVE,
PU01,C006,FRM,GNU,gcc,8.4.0,ACTIVE,
PU01,C007,LIB,Nghttp2,nghttp2,1.41.0,ACTIVE,
PU01,C008,LIB,bt_project,bt,v4.3.0,ACTIVE,
PU01,C009,LIB,newlib_project,newlib,v4.3.0,ACTIVE,
PU01,C010,LIB,Bluetooth,Bluetooth,5.0,ACTIVE,
PU01,C011,LIB,Bluetooth,mesh_profile,1.0.0,ACTIVE,
PU01,C012,LIB,Secpat,atecclib,-,ACTIVE,
PU01,C013,LIB,mqtt_project,mqtt,v4.3.0,ACTIVE,
PU01,C014,HW,Espressif,ESP32,-,ACTIVE,

here is it. can you try to convert and let me know if you can, or is there any issue wit csv file data or something is missing there.

Also if you did convert it, can you also show me the command that you used.

THanks.

@andreas-hilti
Copy link
Contributor

andreas-hilti commented Jul 21, 2024
edited
Loading

@AJquetta The problem is your input data, or more precisely the headers.
The csv file needs to adhere to the example:
https://github.com/CycloneDX/cyclonedx-cli/blob/main/example.csv
see also:

cyclonedx-cli/README.md

Lines 124 to 135 in 03b8019

### CSV Format
The CSV format is a limited representation of the list of components in a BOM.
The intention is to provide a simple way for users to produce and consume BOMs
for simple use cases. Including simple data migration use cases.
The only required fields are the component `name` and `version` fields. Others
can be left blank or the columns omitted.
[example.csv](example.csv)

If I modify some of the headers (I'm not sure whether there are matching properties for the others, e.g. COMPONENT VENDOR might be Supplier or Publisher):
PU LABEL,COMPONENT LABEL,Type,COMPONENT VENDOR,Name,Version,COMPONENT STATUS
and change the type to Library, Operating_System, Framework, or Device, I get a non-empty BOM.

The command that I used was:
cyclonedx.exe convert --input-file sda_mod.csv --input-format csv --output-file wwse_mod.json --output-format json --output-version v1_5
(i.e. yours looked correct).

@AJquetta
Copy link
Author

So the problem is with the csv file? and have you made changes to the csv file that I provided, if yes can you share with me.

Did you only change type with Library?

@andreas-hilti
Copy link
Contributor

Yes, the problem is the csv file; here is the modified file that I used:
sda_mod.csv

@AJquetta
Copy link
Author

yeah, but when I try to put the genrated sbom from csv to cyclonedx in to snyk sbom checker it gives me this error: We couldn't find any Package URLs (purls) or external references containing purls in the provided SBOM.

https://snyk.io/code-checker/sbom-security/

can you sopy pasted the sbom which you converted in this and see if it shows vulnerability detection as I tried to convert csv to cyclonedx but I think csv data us nit complete or there is a problem with proper conversion between formats.

@andreas-hilti
Copy link
Contributor

Well, the generated BOM is a valid BOM, but it indeed does not contain any purls, as the csv data did not contain them. If you want to have them included, you will need to provide them in a "Purl" column.

@AJquetta
Copy link
Author

okay thanks @andreas-hilti

@AJquetta
Copy link
Author

Well, the generated BOM is a valid BOM, but it indeed does not contain any purls, as the csv data did not contain them. If you want to have them included, you will need to provide them in a "Purl" column.

but is it possible i can get the purls from any tool or somewhere or is it that I have to ask the vendor to provide them?, or there are any open source tools that can import this csv file and generate there purls?

@andreas-hilti
Copy link
Contributor

From where do you get your dependencies? If you use some kind of package management system, like conan, maven, pypi, nuget, etc. then you can hope to get purls automatically (but then you should actually rather use a specialized tool than to rely on csv import via cli to produce the SBOM). Otherwise, you can't hope for a tool to figure this out; how should it be able to do so (i.e. how should it be able to know from where you got the dependencies)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andreas-hilti @AJquetta