[Question] [ws-sbom-generator] Generate the spdx for a product + viewer
alalitkdi opened this issue · 10 comments
Question
• What command to use if I want to generate the spdx for a product (containing all residing projects)? Unfortunately, I only found ways to generate either for the whole org, or a specific project.
• Do you recommend a viewer/reader tool for SPDX format? I know this is the standard for BOM information, but I didn’t find any straightforward tools.
Commands I used:
For all projects in the org:
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a URL -t tv -o </path/reports>
For one project:
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a app-eu -s URL -o </path/reports>
Environment Details
- OS: [Windows 10]
- Browser [Chrome]
- Version [99.0.4844.82 (Official Build) (64-bit)]
Hi @alalitkdi ,
You can use the following syntax to generate the spdx for a product :
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -s <WS_PRODUCT_TOKEN> -a saas -t tv -o </path/reports>
As for spdx viewer / reader - you can check https://tools.spdx.org/app/
Thanks,
WhiteSource PS team
Thanks! It starts to create the report but it abruptly stops with an error:
ws_sdk.ws_errors.WsSdkServerGenericError: Generic error on token: 'a2c91221xxxxxxxxxxxxxxxxxxxxxxxx0c77ae3'. Error: {"errorCode":4000,"errorMessage":"Unexpected error"}
The token mentioned here is the product token.
This is the query I run:
ws_sbom_generator -u 3f1dbb992bbxxxxxxxxxxxxxxxfa68ec79293f7 -k 5c987a0cxxxxxxxxxxxxxxxxxxx083f337b499162 -s a2c91221xxxxxxxxxxxxxxxxxxxxxxxx0c77ae3 -a -t tv -o C:\Projects\ws-sbom-generator-master\Reports
The redacted output log is attached here.
ws-log.txt
Hi @alalitkdi - I'm checking and will get back to you in advance.
Hi @alalitkdi , there is a pre-release of our sdk which fix this issue ( pip install ws-sdk==0.9.0.6a1
).
I'm doing some additional tests.
Once done I will implement that sdk's version in a new version of the ws-sbom-generator.
Hi @alalitkdi ,
Please check the new version of ws-sbom-generator
Hi @rammatzkvosky, I can confirm the the new version works fine and generates the report. However, the report fails to get validated with the following error:
Analysis exception processing SPDX file: Invalid checksum: SHA1: at line number 23720
Validated at: https://tools.spdx.org/app/validate/
Hi @alalitkdi , the exception is due to libraries without sha1 checksum in WhiteSource ( mainly In house libraries which are Unidentified ).
Let me see what can be done as a check sum value is mandatory.
Hi @alalitkdi ,
Please notice that the generated report you mentioned was not in the correct format as we can't merge a specific WhiteSource product's projects to a single report.
Each WhiteSource project should have its own separate report.
The PR I created will cover the mentioned command + the cases where sha1 is missing.
Thanks @rammatzkvosky! The requirement was to have a product and its projects in a single report, like stated in the original thread. Thanks for resolving it.
How should I use the latest version to regenerate the report?
Hi @alalitkdi ,
One of SPDX's specifications is to present the relationships between SPDX elements (i.e. 'DEPENDS_ON' , 'DEPENDENCY_OF )
As such, the relationships are presented on the project's level only ( there is no connection between 2 projects' dependencies under the same product ).
More info on Projects at WhiteSource
When merging all of the project's inventory under a single product it breaks the level of the relationship (especially if two different projects have the same packages ).
For that reason, we are only able to apply an SBOM report per WhiteSource project.
Please use the following syntax :
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a app-eu -s <WS_PRODUCT_TOKEN> -e /<path/to>/sbom_extra.json -o </path/reports>