Closed
Description
Describe the bug
Using DejaCode's "Load Packages from SBOM" feature with ScanCode.io fails when using SBOMs generated by cdxgen in the CycloneDX v1.5 and v1.6 format. It appears that v1.4 is handled correctly. This problem could be related to #1171
Stack trace for sbom-1-5.cdx.json
Unexpected key lifecycles/lifecycles in data being serialized to cyclonedx.model.bom.BomMetaData
Traceback:
File "/opt/scancodeio/scanpipe/pipelines/__init__.py", line 204, in execute
step(self)
File "/opt/scancodeio/scanpipe/pipelines/load_sbom.py", line 57, in get_packages_from_sboms
self.packages = resolve.get_packages(
^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 70, in get_packages
if packages := resolve_manifest_resources(resource, package_registry):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 47, in resolve_manifest_resources
packages = get_packages_from_manifest(resource.location, package_registry) or []
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 119, in get_packages_from_manifest
resolved_packages = resolver(input_location=input_location)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/cyclonedx.py", line 252, in resolve_cyclonedx_packages
cyclonedx_bom = Bom.from_json(data=cyclonedx_document)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/venv/lib/python3.12/site-packages/serializable/__init__.py", line 333, in from_json
_data[k] = prop_info.concrete_type.from_json(data=v)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/venv/lib/python3.12/site-packages/serializable/__init__.py", line 301, in from_json
raise ValueError(
Stack trace for sbom-1-6.cdx.json:
Unexpected key lifecycles/lifecycles in data being serialized to cyclonedx.model.bom.BomMetaData
Traceback:
File "/opt/scancodeio/scanpipe/pipelines/__init__.py", line 204, in execute
step(self)
File "/opt/scancodeio/scanpipe/pipelines/load_sbom.py", line 57, in get_packages_from_sboms
self.packages = resolve.get_packages(
^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 70, in get_packages
if packages := resolve_manifest_resources(resource, package_registry):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 47, in resolve_manifest_resources
packages = get_packages_from_manifest(resource.location, package_registry) or []
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 119, in get_packages_from_manifest
resolved_packages = resolver(input_location=input_location)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/cyclonedx.py", line 252, in resolve_cyclonedx_packages
cyclonedx_bom = Bom.from_json(data=cyclonedx_document)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/venv/lib/python3.12/site-packages/serializable/__init__.py", line 333, in from_json
_data[k] = prop_info.concrete_type.from_json(data=v)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/venv/lib/python3.12/site-packages/serializable/__init__.py", line 301, in from_json
raise ValueError(
System configuration
- Which version of ScanCode.io are you running?
- Tested with both 34.4.0 and 3df1a0b
- Are you running the app using Docker?
- Yes
- On which OS?
- Linux (Debian)
- What inputs are you using?
- Which pipeline are you running?
load_sbom
To Reproduce
Steps to reproduce the behavior:
- Open ScanCode.io
- Click "New Project"
- Give the project a memorable name
- Select either the
sbom-1-5.cdx.jsonorsbom-1-6.cdx.jsonfile - Set "Pipeline" to
load_sbom
Expected behavior
The SBOM in CycloneDX v1.5 format should be properly imported.
Screenshots
Screenshot should not be needed.