-
-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using the gh-gomod-generate-sbom action, fails when execution the "Cheap trick" gocmd.ModWhy call #230
Comments
Prob. related with not being able to download the private repo... or something related. |
Hello team, any updates about this issue? I tried using the docker image, tag |
Is it possible to provide some kind of minimal reproducer for this? I have not been able to replicate this so far. Generally, if a project depends on private modules, then the usual setup of |
From my side, I couldn't try it with Github actions, but I did it using docker. go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
# in the dir of my project:
cyclonedx-gomod mod -json -output bom.json . The BOM file is generated correctly. But then, running the docker container, using as volume the root of my project: docker run -it \
-v "$(pwd):/usr/src/test" \
-v "$(pwd)/reports:/out" \
cyclonedx/cyclonedx-gomod:v1.4 mod -json -output bom.json /usr/src/test I have this output:
I don't know the root cause, but with this, I'm not sure that's related to private repos, it seems an error executing the |
Thanks for the input @bcordobaq. I ran the
Which lead me to this issue: golang/go#26280 (comment) We use a non-root user in our cyclonedx-gomod/Dockerfile.goreleaser Lines 3 to 7 in c44a3b1
Adding this to the
Can you verify that this resolves the issue? If so, I'll get this added to our |
I'll also see if I can improve the logging. Seems like currently we're swallowing the actual error message, which is not helpful. |
Actually it is logged in debug mode (with
|
caused by golang/go#26280 (comment) relates to #230 Signed-off-by: nscuro <[email protected]>
Hi @nscuro , first, thank you for your quick response! Effectively, I added the env variable in the docker command, and it works well 🎉 , this was my probe: docker run -it \
-v "$(pwd):/usr/src/test" \
-v "$(pwd)/reports:/out" \
-e "GOCACHE=/tmp/gocache" \
cyclonedx/cyclonedx-gomod:v1.4 mod -json -output bom.json /usr/src/test Thank you!!! Anyways, I saw your MR, which is merged, and I've tried also the docker docker run -it \
-v "$(pwd):/usr/src/test" \
-v "$(pwd)/reports:/out" \
cyclonedx/cyclonedx-gomod mod -json -output /out/bom.json /usr/src/test |
Problem
Currently I'm trying to integratie the generation of a SBOM for one of our Go repos. The gh-gomod-generate-sbom action is used. This actually fails with the error:
Looking at this line and the subsequent call to gocmd.ModWhy the error "failed to download modules: ..." doesn't actually indicate a failure of downloading modules, but more generally a failure when running the command (in this case `go mod why -m -vendor github.com/CycloneDX/cyclonedx-go).
This will call private repo's. So in that sense, it looks like this issue #206. But that one was closed without giving a hint what goes wrong.
On a local dev machine it works.
Question
Can somebody explain the above error when running cyclonedx-gomod through a GitHub Action?
Below the contents of the action:
The text was updated successfully, but these errors were encountered: