anthonyharrison / distro2sbom Goto Github PK

I am trying to obtain the SBOM of a Windows 10 system and I always get the same error

[ERROR] Feature not available
[ERROR] Unable to locate package

The command line I run is:

distro2sbom --distro windows --name "Microsoft Windows 10 Pro" --release "10.0.19044" --system --sbom cyclonedx --format json --output-file "sbom.json"

The error obtained when executing in debug mode is

Distro type: windows
Input file:
Distro name: Microsoft Windows 10 Pro
Distro release: 10.0.19044
Package:
System SBOM: True
SBOM type: cyclonedx
Format: json
Output file: sbom.json
This may take some time...
[ERROR] Feature not available
[ERROR] Unable to locate package

Hi.

While playing around with version 0.2.0 I got the following exception:

Traceback (most recent call last):
  File "/opt/app-root/bin/distro2sbom", line 8, in <module>
    sys.exit(main())
  File "/opt/app-root/lib64/python3.8/site-packages/distro2sbom/cli.py", line 209, in main
    sbom_build.process_distro_package(args["package"])
  File "/opt/app-root/lib64/python3.8/site-packages/distro2sbom/distrobuilder/rpmbuilder.py", line 206, in process_distro_package
    if self.process_package(module_name):
  File "/opt/app-root/lib64/python3.8/site-packages/distro2sbom/distrobuilder/rpmbuilder.py", line 149, in process_package
    license = self.license.find_license(self.get("License"))
AttributeError: 'RpmBuilder' object has no attribute 'license'

The command used to generate this exception:

distro2sbom --distro rpm --name centos --release 7 --sbom cyclonedx -o sbom.json --format json -p bash

The enviroment is a Docker container (quay.io/centos7/python-38-centos7)

I don't get the exception if I instead use -i packages.txt. However in this case there is no license information in the resulting file (even when switching the SBOM format to spdx). Which I think might be another issue.

My assumption is, that distrobuilder.py contains changes (the license attribute, along with the associated methods to find licenses), which weren't included in the commits related to version 0.2.0.

Trying this out on a few different RHEL-compatible targets seems to show issues installing the dependencies, e.g.

$ docker run --rm -it rockylinux:8 sh -c 'yum install -y python3 python3-pip;pip3 install lib4sbom'
...
Installed:
  platform-python-pip-9.0.3-22.el8.rocky.0.noarch      python3-pip-9.0.3-22.el8.rocky.0.noarch      python3-setuptools-39.2.0-6.el8.noarch      python36-3.6.8-38.module+el8.5.0+671+195e4563.x86_64     

Complete!
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting lib4sbom
  Could not find a version that satisfies the requirement lib4sbom (from versions: )
No matching distribution found for lib4sbom
...

The same error is seen on:

• centos:7
• centos:8

However the following work fine:

• quay.io/centos/centos:stream9
• amazonlinux:2023
• amazonlinux:2

The failing targets all seem to be Python 3.6 whereas the others are more recent and generally already come with Python 3.
Do I need to reconfigure pip to look at a particular index?

Hi,

SBOM for System in README.md targets the --distro rpm option.

However, the final sentence repeats the description for the --distro deb option (distribution file in dpkg format).

Cheers!

You cannot seem to run from another path e.g python /test/setup.py, it look for README.md, etc. locally rather than at the location of the .py file.