cdxgen: BOMs from Docker image missing packages

Using cdxgen on a Docker image will generate BOM, but not correct one. Many of the packages installed in our python project is missing, compared to running cdxgen on the project directly.

Our Docker image has a workdir of \app, could this be an issue? Does cdxgen want a specific workdir to work correctly?

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 21 (12 by maintainers)

Most upvoted comments

Not a problem. Glad it worked!

+1
prabhu on May 13, 2022

@prabhu Now it works! I did not see that my previous log-snippet was badly formatted. Sorry!

+1
diblaze on May 13, 2022

@diblaze This helps. Yes, the site-packages inside .venv would be matching a range of patterns. Thank you. I will let you know once a new update is ready for testing.

+1
prabhu on May 11, 2022

Sadly I can not share the complete tree structure. However, poetry.lock is directly under dapp. So it should find it. Also I checked our docker image, cdxgen is run by root user.

dapp/
├── openapi_server
├── poetry.lock
├── pyproject.toml
└── scripts.py

For now the workaround is to run cdxgen on the project before creating the image.

+1
diblaze on May 10, 2022

@diblaze could you share the debug logs with version 4.0.13?

+1
prabhu on May 4, 2022
Read more comments on GitHub
← cyclejs: Solve memory leak with circular dependencies of streams
cdxgen: Generating SBOM for a container image from tar file fails →