Fails to parse Github AS SBOM with: Format not supported: for command and/or flags ('SPDX')

[captainjono]

Im using github to generate a sbom with its advanced security feature.

gh ext install advanced-security/gh-sbom
gh auth login
gh sbom

this will generate a repo.json

starts with:

{"spdxVersion":"SPDX-2.3","dataLicense":"CC0-1.0","SPDXID":"SPDXRef-DOCUMENT","name":"com.github...

validation passes but other options fail:

C:\x\Downloads\sbom-utility-v0.17.1-pre-windows-amd64> ./sbom-utility validate -i repo.json
Welcome to the sbom-utility! Version 'v0.17.1-pre' (sbom-utility) (windows/amd64)
[INFO] Loading (embedded) default schema config file: 'config.json'...
[INFO] Loading (embedded) default license policy file: 'license.json'...
[INFO] Attempting to load and unmarshal data from: 'c:\jan\janison-replay\jr.spdx'...
[INFO] Successfully unmarshalled data from: 'c:\jan\janison-replay\jr.spdx'
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): 'SPDX', 'SPDX-2.3' (latest)
[INFO] Matching BOM schema (for validation): schema/spdx/2.3/spdx-schema.json
[INFO] Loading schema 'schema/spdx/2.3/spdx-schema.json'...
[INFO] Schema 'schema/spdx/2.3/spdx-schema.json' loaded
[INFO] Validating 'repo.json'...
[INFO] BOM valid against JSON schema: 'true'
PS C:\x\Downloads\sbom-utility-v0.17.1-pre-windows-amd64> ./sbom-utility component list -i repo.json
Welcome to the sbom-utility! Version 'v0.17.1-pre' (sbom-utility) (windows/amd64)
[INFO] Loading (embedded) default schema config file: 'config.json'...
[INFO] Loading (embedded) default license policy file: 'license.json'...
[INFO] Attempting to load and unmarshal data from: 'repo.json'...
[INFO] Successfully unmarshalled data from: 'repo.json'
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): 'SPDX', 'SPDX-2.3' (latest)
[INFO] Matching BOM schema (for validation): schema/spdx/2.3/spdx-schema.json
[INFO] Scanning document for licenses...
**[ERROR] format not supported: for command and/or flags ('SPDX'): format: repo.json', command: 'license', flags: ''
Error: format not supported: for command and/or flags ('SPDX'): format: 'repo.json', command: 'license', flags: ''

./sbom-utility query -i repo.json --select name,version --from components
Welcome to the sbom-utility! Version 'v0.17.1-pre' (sbom-utility) (windows/amd64)
[INFO] Loading (embedded) default schema config file: 'config.json'...
[INFO] Loading (embedded) default license policy file: 'license.json'...
[INFO] Attempting to load and unmarshal data from: 'repo.json'...
[INFO] Successfully unmarshalled data from: 'crepo.json'
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): 'SPDX', 'SPDX-2.3' (latest)
[INFO] Matching BOM schema (for validation): schema/spdx/2.3/spdx-schema.json
[ERROR] format not supported: for command and/or flags ('repo.json'): format: 'SPDX', command: 'query', flags: ''
Error: format not supported: for command and/or flags ('repo.json'): format: 'SPDX', command: 'query', flags: ''

Ive been stuck on this for a few hours and i am wondering what i am doing wrong? issue repos on the latest stable build also.

[martin-reich]

Apparently, only CycloneDX is currently supported. SPDX are not supported

[mrutkows]

Apparently, only CycloneDX is currently supported. SPDX are not supported

@martin-reich can you attach the file? The INFO messages indicate that the header of the file was confirmed to be SPDX 2.3 (latest) which is supported for validation only (and the last version being 2.x we can support for the foreseeable future).

Given the error and INFO messages copied here, it implies you are running the "license" command which (along with most other commands) only supports CycloneDX schema to explore/query the contents of the file (beyond schema validation). Please know that the utility (by name and organizational placement) intends to fully allow exploration of data using CycloneDX format/schema and that the SPDX validation was simply easy to support given for at least 2.x versions of SPDX we had a JSON schema file.

You can convert from SPDX to CycloneDX formats using the https://github.com/CycloneDX/cyclonedx-cli tool and then gain access to all the commands the utility supports including the "license" and policy commands ;)

[mrutkows]

In addition, although I have not tried it personally, it seems that you are using an extension to the gh command to generate an SPDX BOM and it appears that an alt. extension exists for generating CycloneDX format ;)

Google search indicates:

you can use the "gh" extension command to generate a CycloneDX Software Bill of Materials (SBOM) for your GitHub repository, specifically with the "gh-sbom" extension which allows you to output SBOMs in both SPDX and CycloneDX formats depending on your preference; making it possible to generate a CycloneDX file using the GitHub CLI.
Key points about using "gh" for CycloneDX generation:

Extension needed: You need to install the "gh-sbom" extension to use this functionality. 

Format selection: When using the "gh-sbom" command, you can specify whether you want the output in CycloneDX or SPDX format.

gh sbom --format cyclonedx > my_sbom.json

would love to know if that works (and perhaps get a copy of the JSON to see what it generates)