Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Indirect dependencies not added BOM file while generation BOM using Cyclonedx #485

Open
super3programmer opened this issue Jun 10, 2024 · 4 comments
Open

Indirect dependencies not added BOM file while generation BOM using Cyclonedx #485

super3programmer opened this issue Jun 10, 2024 · 4 comments
Labels
question Further information is requested

Comments

@super3programmer
Copy link

I used cyclonedx-gomod to generate a BOM file, but some internal dependencies were not included. Although most indirect dependencies were added, the following two were not:

github.com/stretchr/objx v0.5.0 (indirect)
google.golang.org/appengine v1.6.7 (indirect)
@nscuro
Copy link
Member

nscuro commented Jun 14, 2024

Please ensure that you run go mod tidy to keep bloat out of your go.mod file.

Then, keep in mind that go.mod does not differentiate between dev/test, and runtime dependencies. cyclonedx-gomod mod will not include test dependencies per default, but you can opt-in to that by passing the -test flag.

If you're using cyclonedx-gomod app, the output will be even more restricted, because it will only include modules that are actually compiled into your application. Please consult the respective command's help text for details: https://github.com/CycloneDX/cyclonedx-gomod?tab=readme-ov-file#subcommands

It all comes down to the fact that cyclonedx-gomod does not simply parse your go.mod file. It instead relies on the Go itself to tell it what the true dependencies are.

@nscuro nscuro added the question Further information is requested label Jun 14, 2024
@super3programmer
Copy link
Author

Hello @nscuro,
After running 'go mod tidy', I generated the BOM file using the cyclonedx-gomod app. However, the BOM file is missing two specific components. While I understand that cyclonedx-gomod relies on Go for this process and it includes all other indirect components, I am puzzled as to why these two components are excluded. Do you have any suggestions or insights on this issue?

@nscuro
Copy link
Member

nscuro commented Jun 18, 2024

When you use app, the BOM will be generated based on what Go would compile into the application, given the currently applicable build constraints. Build constraints include the platform, but also build tags etc.

For example, some modules are only required on macOS, so when you run cyclonedx-gomod app on Windows, you won't see those.

Another reason could be that some modules are only needed by code that you application never calls, hence they'll be omitted.

Or your codebase has multiple binaries (e.g. cmd/app1, cmd/app2), so when you're generating a BOM for app1 you won't be seeing modules that only app2 depends on.

There's a multitude of reasons that all are results of how Go's module system and build process works. go.mod and go.sum do not reliably tell you what gets shipped when you build a binary.

If you always want all modules to be included, use cyclonedx-gomd mod. Please read the command's help text.

@super3programmer
Copy link
Author

I used cyclonedx-gomod mod to generate the BOM file, as you mentioned. However, some indirect modules are still missing. Could you please review this and let me know why the following modules aren't being included in the BOM file?

  1. github.com/go-playground/assert/v2
  2. github.com/gusaul/go-dynamock
  3. github.com/rogpeppe/go-internal
  4. golang.org/x/exp
  5. gopkg.in/check.v1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nscuro @super3programmer