No results when scanning CycloneDX file from cargo-cyclonedx

Question

No results when scanning CycloneDX file from cargo-cyclonedx

Feelemoon opened this issue 2 years ago · 3 comments

Feelemoon commented 2 years ago

When scanning a CycloneDX file from https://github.com/CycloneDX/cyclonedx-rust-cargo no output is generated.

It would be nice, if the user is informed if the BOM has been scanned or not (for some reason).

Answer 1 · 2023-02-20T21:01:18.000Z

Thanks for the issue! We'll take a look.

Answer 2 · 2023-03-01T23:36:35.000Z

@Feelemoon I used [this](https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/main/cyclonedx-bom/tests/data/1.3/valid-bom-1.3.json] SBOM from that project and although it is valid JSON, it had an empty Purl in it which caused a problem. Bomber threw a "scheme missing" error - which doesn't say much. In the JSON the issue is with the second component. It has no Purl and therefore can't be scanned:

I was testing with the new 0.4.1 version of bomber which we just released, and we did put fix some output issues when nothing was found. Here is a debug screenshot:

Not sure if you were testing another SBOM, but could you try running 0.4.1 on it?

Answer 3 · 2023-04-14T22:15:51.000Z

#137 compensates for this use case by removing empty or invalid purls.