ort --info report -f CycloneDx -i bom.json -o .

Question

ort --info report -f CycloneDx -i bom.json -o .

wujunhuge opened this issue a month ago · comments

Hugh commented a month ago

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior:

First do '...'
Then do '...'
Finally do '...'
See error

Expected behavior

A clear and concise description of what you expected to happen.

Console / log output

<copy & paste output to here>

Environment

Output of the ort requirements command:

<copy & paste output to here>

Or manually specify:

ORT version: [e.g. 22.1.0]
Java version: [e.g. 17]
OS: [e.g. Linux]

And specify (relevant parts of) your ORT configuration (config.yml):

<copy & paste output to here>

Additional context

Add any other context about the problem here.

Sebastian Schuberth · Answer 1 · Wed Jun 19 2024 20:49:42 GMT+0800 (China Standard Time)

Hi @wujunhuge, thanks for the report. Unfortunately, most of the fields in the report were not fill out by you, making it hard for us to reproduce what the root cause of you problem is.

Apparently, the, repository field is missing the ORT result JSON file that you are trying to load. As the ORT analyzer definitely writes this mandatory field, it looks like the ORT result JSON file has been tampered with. Can you share how this is file was created exactly?

Sebastian Schuberth · Answer 2 · Wed Jun 19 2024 20:53:28 GMT+0800 (China Standard Time)

it looks like the ORT result JSON file has been tampered with.

Or actually, judging from the file name name bom.json in your title, it looks like the input is not an ORT result file at all. Basically, the input to the ort report command is the file that gets written by the ort analyze command. Also see the tutorial.

Hugh · Answer 3 · Thu Jun 20 2024 10:56:57 GMT+0800 (China Standard Time)

Thank you for your reply. I am trying to use tools to analyze a C++project and convert it into a CycloneDx format BOM. JSON. However, after reading the tutorial, I feel a bit confused. Do I need to add any configurations when analyzing?

Sebastian Schuberth · Answer 4 · Thu Jun 20 2024 15:41:45 GMT+0800 (China Standard Time)

Do I need to add any configurations when analyzing?

That depends a bit on which, if any, package manager your C++ project is using. Can you share some details on that?

In any case, that does not explain why the repository field seems to be missing in the ORT result file. Can you please also share the exact command line you're using to run ort analyze?

Hugh · Answer 5 · Thu Jun 20 2024 16:48:44 GMT+0800 (China Standard Time)

Can my C++project be scanned without a package manager like Conan?
The command I am using now is: ort -- info analyze - i- o . -f JSON

Sebastian Schuberth · Answer 6 · Thu Jun 20 2024 17:40:22 GMT+0800 (China Standard Time)

Can my C++project be scanned without a package manager like Conan?

It can be scanned in the meaning of running ort scan with the analyzer input, but none of its dependencies will be recognized or scanned. Only what's contained in the directory / repository ort analyze was given as the input will be scanned.

Sebastian Schuberth · Answer 7 · Thu Jun 20 2024 17:43:30 GMT+0800 (China Standard Time)

And please note that ort analyze currently expects the input directory to be under version control. If that's not the case for you, you can trick ORT by creating a temporary Git working tree directory in your input directory by running git init, git add ., git commit -m "Dummy commit for ORT" first.