Skip to content

SBOM is different on package.json with same command on different systems #474

Closed
Closed
SBOM is different on package.json with same command on different systems#474
Labels
questionFurther information is requested
@Serraniel

Description

@Serraniel
Serraniel
opened on Feb 3, 2023

Describe the bug

Hello,

we ran into an issue, where the output of the generated SBOM is different if executed in the Jenkins environment compared to the results if I execute the command locally.
We use the following command to generate SBOM
npx --yes -d @cyclonedx/cyclonedx-npm@^1 --output-file "..\..\..\bom\components\portal_frontend.json" --omit dev

The major difference is that in the Jenkins environment an additional hashes property is generated for each entry. That itself isn´t an issue for us at all in general but there is one exception:
We also have included the fontawesome-pro package, which doesn´t come from npmjs but the FA npm registry. In this case the hashes property is not generated but the PURL is extended.
If I execute the mentioned command locally the tool generates
"purl": "pkg:npm/%40fortawesome/[email protected]?download_url=https://npm.fontawesome.com/@fortawesome/fontawesome-pro/-/6.2.1/fontawesome-pro-6.2.1.tgz"

In the Jenkins environment it instead generates
"purl": "pkg:npm/%40fortawesome/[email protected]?checksum=sha-512:74793b8a209fe4c0a6a14be6ad8cdf37f23781e6e9829035a2a94e7df80e4e19ec680478929690e58313764746f7d39fd619cdd01a24e91f87136f335dbdd23a&download_url=https://npm.fontawesome.com/@fortawesome/fontawesome-pro/-/6.2.1/fontawesome-pro-6.2.1.tgz"

This leads to the issue, that our Dependency Track rejects the SBOM file cause that specific purl entry exceeds the max length
image

I don´t know if that limitation comes from the specification or is an internal limitation of Dependency Track.
I was able to use the short purl options as a first workaround, however my main questions are:
Why is the output different from when I execute the command locally and is there a reason, that for the external registry, the hash is written into the PURL which isn´t the case for packages coming from npmjs?

Expected behavior

Identical output SBOM in local and jenkins environment

Screenshots or output-paste

If applicable, add screenshots or past the output to help explain your problem.

Environment

Local

  • @cyclonedx/cyclonedx-npm version: ^1
  • NPM version: 8.19.2
  • Node version: 18.12.1
  • OS: Windows 10

Jenkins

  • @cyclonedx/cyclonedx-npm version: ^1
  • NPM version: 8.8.0
  • Node version: 18.1.0
  • OS: Windows

Additional context

Some screenshot if I diff the local (left) and jenkins (right) output:
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions