Using the gh-gomod-generate-sbom action, fails when execution the "Cheap trick" gocmd.ModWhy call about cyclonedx-gomod HOT 8 OPEN

Hi @nscuro , first, thank you for your quick response! Effectively, I added the env variable in the docker command, and it works well 🎉 , this was my probe:

docker run -it \
    -v "$(pwd):/usr/src/test" \    
    -v "$(pwd)/reports:/out" \
    -e "GOCACHE=/tmp/gocache" \
   cyclonedx/cyclonedx-gomod:v1.4 mod -json -output bom.json  /usr/src/test

Thank you!!! Anyways, I saw your MR, which is merged, and I've tried also the docker latest image, works well 😄

docker run -it \
    -v "$(pwd):/usr/src/test" \
    -v "$(pwd)/reports:/out" \
    cyclonedx/cyclonedx-gomod mod -json -output /out/bom.json  /usr/src/test

from cyclonedx-gomod.

Prob. related with not being able to download the private repo... or something related.

from cyclonedx-gomod.

Hello team, any updates about this issue? I tried using the docker image, tag v1.4 and I have the same error as @jeroendee reported. If I use the client locally in the laptop works well...

from cyclonedx-gomod.

Is it possible to provide some kind of minimal reproducer for this? I have not been able to replicate this so far.

Generally, if a project depends on private modules, then the usual setup of GOPRIVATE etc. required for private modules is necessary to generate an SBOM for the project. If it works on your local machine, but doesn't in CI, then there's some sort of setup, config, or environment variable missing in CI, that exists on your local machine.

from cyclonedx-gomod.

From my side, I couldn't try it with Github actions, but I did it using docker.
If I execute the client app locally:

go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest

# in the dir of my project:
cyclonedx-gomod mod -json -output bom.json .

The BOM file is generated correctly.

But then, running the docker container, using as volume the root of my project:

docker run -it \
    -v "$(pwd):/usr/src/test" \
    -v "$(pwd)/reports:/out" \
    cyclonedx/cyclonedx-gomod:v1.4 mod -json -output bom.json  /usr/src/test

I have this output:

{"level":"error","error":"failed to download modules: command `/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go` failed: exit status 1","time":"2023-08-03T11:38:44Z"}

I don't know the root cause, but with this, I'm not sure that's related to private repos, it seems an error executing the go mod why command.

from cyclonedx-gomod.

Thanks for the input @bcordobaq. I ran the go mod why command from within the container, and I got this error:

failed to initialize build cache at /.cache/go-build: mkdir /.cache: permission denied

Which lead me to this issue: golang/go#26280 (comment)

We use a non-root user in our Dockerfile:

Adding this to the docker command works for me:

-e "GOCACHE=/tmp/gocache"

Can you verify that this resolves the issue? If so, I'll get this added to our Dockerfile and push a bugfix release out later today.

from cyclonedx-gomod.

I'll also see if I can improve the logging. Seems like currently we're swallowing the actual error message, which is not helpful.

from cyclonedx-gomod.

Actually it is logged in debug mode (with -verbose flag):

$ docker run -it --rm -v "$(pwd):/work" cyclonedx/cyclonedx-gomod:v1.4.0 mod -verbose /work
4:00PM DBG executing command cmd="/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go" dir=/work
4:00PM DBG failed to initialize build cache at /.cache/go-build: mkdir /.cache: permission denied
{"level":"error","error":"failed to download modules: command `/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go` failed: exit status 1","time":"2023-08-03T16:00:03Z"}

from cyclonedx-gomod.