haro87 / mdbom Goto Github PK

Describe the bug

Installing mdbom and mkdocs-material creates a dependency conflict. While mdbom requires Jinja2 version to be 2.X, mkdocs-material requires 3.X.X

To Reproduce

Steps to reproduce the behavior:

1. poetry add --dev mdbom
2. poetry add --dev mkdocs-material

> poetry add --dev mkdocs mkdocs-material

Using version ^1.3.1 for mkdocs
Using version ^8.5.1 for mkdocs-material

Updating dependencies
Resolving dependencies... (0.0s)

  SolverProblemError

  Because no versions of mkdocs-material match >8.5.1,<9.0.0
   and mkdocs-material (8.5.1) depends on jinja2 (>=3.0.2), mkdocs-material (>=8.5.1,<9.0.0) requires jinja2 (>=3.0.2).
  And because mdbom (0.3.0) depends on Jinja2 (>=2.11.3,<3.0.0)
   and no versions of mdbom match >0.3.0,<0.4.0, mkdocs-material (>=8.5.1,<9.0.0) is incompatible with mdbom (>=0.3.0,<0.4.0).
  So, because deathstar depends on both mdbom (^0.3.0) and mkdocs-material (^8.5.1), version solving failed.

  at ~/sw/miniconda3/lib/python3.9/site-packages/poetry/puzzle/solver.py:241 in _solve
      237│             packages = result.packages
      238│         except OverrideNeeded as e:
      239│             return self.solve_in_compatibility_mode(e.overrides, use_latest=use_latest)
      240│         except SolveFailure as e:
    → 241│             raise SolverProblemError(e)
      242│ 
      243│         results = dict(
      244│             depth_first_search(
      245│                 PackageNode(self._package, packages), aggregate_package_nodes

Expected behavior

Installaion succeeds.

System (please complete the following information):

• Mardown SBOM version: 0.3.0
• Python version: 3.9.2
• OS: Ubuntu

It would be great to have support for npm specific SBOMs.

Describe the bug
Using a freeze.txt file created by pip results in version key not found.

To Reproduce
Steps to reproduce the behavior:

1. pip freeze > freeze.txt
2. cyclonedx-py -r -i freeze.txt -o bom.json --format=json
3. mdb generate ...

Expected behavior
MdBOM should run even if Info like Version is missing.

Screenshots
N.a.

System (please complete the following information):

• MdBOM version: [e.g. 0.3.0]
• Python version: [e.g. 3.8]
• OS: [Linux/MacOS]

Additional context
cyclonedx-bom version 3.6.0

Describe the bug
Sometimes the license information is empty. This should not happen.

To Reproduce
Hard to reproduce.

Expected behavior
If no license info is found then unknown should be stated in the license info.

System (please complete the following information):

• Mardown SBOM version: 0.2.0
• Python version: 3.8
• OS: Linux

mdBOM can be used to create the 3rd party documentation via mdBOM. You need to run:

poetry export -f requirements.txt --output freeze.txt --without-hashes

to get the requirements file which can be used as an input for cyclonedx-py.

It seems that the script can't find a template.md.jinja file, causing a runtime error. This is on a macOS machine with Python installed via homebrew.

$ python3 --version
Python 3.10.6
$ pip3 install mdbom 
[...]
$ mdb generate --input doc/bom/bom.json --output doc/bom/mdb.md --type npm
Traceback (most recent call last):
  File "/opt/homebrew/bin/mdb", line 8, in <module>
    sys.exit(cli())
  File "/opt/homebrew/lib/python3.10/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/opt/homebrew/lib/python3.10/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/opt/homebrew/lib/python3.10/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/homebrew/lib/python3.10/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/homebrew/lib/python3.10/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/opt/homebrew/lib/python3.10/site-packages/mdbom/mdbom.py", line 85, in generate
    generate_markdown(
  File "/opt/homebrew/lib/python3.10/site-packages/mdbom/md/md.py", line 27, in generate_markdown
    with open(template, "r") as template_file:
FileNotFoundError: [Errno 2] No such file or directory: 'template.md.jinja'

I prefer Task over make.

Instead of providing all relevant info like BOM file, template etc. it would be nice to be able to use a config file.

Use MkDocs instead of Sphinx for documentation.

Describe the bug
Following the steps outlined on https://haro87.github.io/mdbom/0.2.2/install/, I get the following error when trying to run the generation command:
Traceback (most recent call last):
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\runpy.py", line 192, in _run_module_as_main
return _run_code(code, main_globals, None,
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\runpy.py", line 85, in run_code
exec(code, run_globals)
File "C:\Users\anthony.hunter.000\AppData\Local\Programs\Python\Python38\Scripts\mdb.exe_main.py", line 9, in
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 829, in call
return self.main(*args, **kwargs)
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 782, in main
rv = self.invoke(ctx)
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\click\core.py", line 610, in invoke
return callback(*args, **kwargs)
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\mdbom\mdbom.py", line 96, in generate
packages = processors[proc_type].get_packages_from_bom(
File "c:\users\anthony.hunter.000\appdata\local\programs\python\python38\lib\site-packages\mdbom\bom\processor.py", line 54, in get_packages_from_bom
for component_license in component[LICENSES_ID]:
KeyError: 'licenses'

To Reproduce
Steps to reproduce the behavior:

1. Follow all of the install steps from https://haro87.github.io/mdbom/0.2.2/install/
2. Run the generation command from: https://haro87.github.io/mdbom/0.2.2/markdown/
3. See error

Expected behavior
Expecting the markdown file to be generated

System (please complete the following information):

• Mardown SBOM version: 0.2.1
• Python version: 3.8
• OS: Windows 10

MdBOM should be able to handle Golang as well.

MdBOM should be able to read multiple BOM files and compile a single list of packages.

Instead of releasing to test pypi from develop it should only be done from release/... branches.

The URLs in the 3rd Party should be actual links.

Currently, the purl package type (pypi, nom, golang, ...) is not part of the final result. This should be included.

As suggested here cyclone-dx is already providing purl infos for all detected packages. It would simplify the processing and the user interface if mdbom would switch to that.