I just want to plug in SBOM for my project, use cyclonedx-gomd command why download cyclonedx-go first, how to solve this problem

[monkeylijin]

[Dungeon1]

Same problem

[nscuro]

why download cyclonedx-go first

cyclonedx-gomod is using the go mod why command to force Go to download all required modules to the local module cache. Other ways of performing this download (e.g. go mod download) potentially modify the go.sum file which is an undesired side-effect.

github.com/CycloneDX/cyclonedx-go in this command is more or less a placeholder. It may just as well be foobar. Go will not download the provided module. It will download all modules actually required by your project, and then check locally if github.com/CycloneDX/cyclonedx-go is among them.

If this step fails, then the Go command in general is likely not able to download modules in your environment.

Can you try adding the -verbose flag and see if there's any additional output?

[monkeylijin]

Thanks for the reply, I used the private server for go.mod. The download error was caused by the dependency caused by the network failure. Is there any way to skip the download failure dependency and continue to execute the command?