CycloneDX.NET finishes successfully when package restore fails #888

andreycha · 2024-06-26T13:15:45Z

Hi,

I'm using version 3.0.5 and recently noticed that in case solution package restore fails CycloneDX.NET does not generate BOM file and finishes successfully. This makes our BOM builds to continue and fail at a later point because BOM file is not found.

Wouldn't it be better that CycloneDX.NET exits with a code that indicates failure?

Here is an example of shortened build output with key points in bold:

15:03:48 Dotnet restore failed:
15:03:48 Determining projects to restore...
15:03:48 D:\BuildAgent\work\8459948641e4ad25\Services\ServiceName\src\Models\Models.csproj : error NU1903: Warning As Error: Package 'Newtonsoft.Json' 12.0.3 has a known high severity vulnerability, GHSA-5crp-9r3c-p9vr [D:\BuildAgent\work\8459948641e4ad25\Services\ServiceName\src\WorkerHost\WorkerHost.csproj]
15:03:48 Failed to restore D:\BuildAgent\work\8459948641e4ad25\Services\ServiceName\src\Models\Models.csproj (in 18 ms).
15:03:48
15:03:48 CycloneDX has finished
15:03:48
15:03:48 Process exited with code 0

15:03:48 Step 2/2: Upload BOM to DependencyTrack
15:03:48 Step 1/1: Upload BOM to DependencyTrack (PowerShell)
15:03:48 PowerShell running in non-virtual agent context
15:03:48 PowerShell Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
15:03:48 Working directory: D:\BuildAgent\work\8459948641e4ad25
15:03:48 Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
15:03:48 PowerShell arguments: -NoProfile, -NonInteractive, -ExecutionPolicy, ByPass, -File, D:\BuildAgent\temp\buildTmp\powershell12874135734340666064.ps1, "D:\BuildAgent\work\8459948641e4ad25", "dist/BOM/bom.json", "*******", "https://dependencytrack_url/api", "ServiceName", "1.2.3.4"
15:03:48 Get-ChildItem : Cannot find path 'D:\BuildAgent\work\8459948641e4ad25\dist\BOM\bom.json' because it does not exist.

The text was updated successfully, but these errors were encountered:

mtsfoni · 2024-06-26T15:38:51Z

Wouldn't it be better that CycloneDX.NET exits with a code that indicates failure?

That is the intended behavior.
Can you tell me what arguments you call cyclonedx with?

andreycha · 2024-06-27T07:20:50Z

Yes, sorry, forgot to add it:

dotnet cyclonedx "D:\BuildAgent\work\8459948641e4ad25\Services\ServiceName\ServiceName.sln" -o dist\BOM
 -f bom.json -j -sn "ServiceName" -sv 1.2.3.4 --github-username *** --github-token ***

mtsfoni · 2024-06-29T18:04:11Z

First of all, as you set github-username and token you probably want to use --enable-github-licenses.

Since 3.0.0 it's disabled by default.

mtsfoni · 2024-06-29T18:24:54Z

I cannot reproduce the error. Here is my try:

PS E:\src\repos\cyclonedx-dotnet> $LastExitCode
0
PS E:\src\repos\cyclonedx-dotnet> dotnet cyclonedx ..\cdx-enrich\src\CdxEnrich.sln -j -sn "name" -sv 1.0.0

Found the following local nuget package cache locations:
    C:\Users\user\.nuget\packages\
Scanning at E:\src\repos\cdx-enrich\src\CdxEnrich.sln

» Solution: E:\src\repos\cdx-enrich\src\CdxEnrich.sln
  Getting projects

» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich\CdxEnrich.csproj
  Getting project references
  No project references found

» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich.Tests\CdxEnrich.Tests.csproj
  Getting project references

» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich\CdxEnrich.csproj
  Getting project references
  No project references found
  2 project(s) found


» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich\CdxEnrich.csproj
  Attempting to restore packages
  Packages restored


» Analyzing: E:\src\repos\cdx-enrich\src\CdxEnrich.Tests\CdxEnrich.Tests.csproj
  Attempting to restore packages
Dotnet restore failed:
  Determining projects to restore...
E:\src\repos\cdx-enrich\src\CdxEnrich.Tests\CdxEnrich.Tests.csproj : error NU1101: Unable to find package Verify. No packages exist with this id in source(s): C:\Program Files\dotnet\library-packs, Package source
  Failed to restore E:\src\repos\cdx-enrich\src\CdxEnrich.Tests\CdxEnrich.Tests.csproj (in 217 ms).
  1 of 2 projects are up-to-date for restore.

PS E:\src\repos\cyclonedx-dotnet> $LastExitCode
5

Also, I cannot see any way in the flow of the program that it could leave the program without writing the output file, but still returning 0.

See here: https://github.com/CycloneDX/cyclonedx-dotnet/blob/master/CycloneDX/Runner.cs#L423-L426

Can you reproduce the problem outside your pipeline?

github-actions · 2024-09-29T01:32:46Z

This issue is stale because it has been open for 3 months with no activity.

github-actions bot added the triage Don't know what to do with this yet label Jun 26, 2024

andreycha changed the title ~~Package restore fails and CycloneDX.NET finishes successfully~~ CycloneDX.NET finishes successfully when package restore fails Jun 26, 2024

mtsfoni added bug Something isn't working question Further information is requested and removed triage Don't know what to do with this yet labels Jun 26, 2024

github-actions bot added the stale label Sep 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CycloneDX.NET finishes successfully when package restore fails #888

CycloneDX.NET finishes successfully when package restore fails #888

andreycha commented Jun 26, 2024 •

edited

Loading

mtsfoni commented Jun 26, 2024

andreycha commented Jun 27, 2024 •

edited

Loading

mtsfoni commented Jun 29, 2024

mtsfoni commented Jun 29, 2024 •

edited

Loading

github-actions bot commented Sep 29, 2024

CycloneDX.NET finishes successfully when package restore fails #888

CycloneDX.NET finishes successfully when package restore fails #888

Comments

andreycha commented Jun 26, 2024 • edited Loading

mtsfoni commented Jun 26, 2024

andreycha commented Jun 27, 2024 • edited Loading

mtsfoni commented Jun 29, 2024

mtsfoni commented Jun 29, 2024 • edited Loading

github-actions bot commented Sep 29, 2024

andreycha commented Jun 26, 2024 •

edited

Loading

andreycha commented Jun 27, 2024 •

edited

Loading

mtsfoni commented Jun 29, 2024 •

edited

Loading