CycloneDX
No trace logs for under the hood executions
I am trying to generate SBOM on Maven project. It however hangs on mvnw org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true for ~1h then reverting to mvnw dependency:tree -DoutputFile=/tmp/cdxmvn-8qMLXx/mvn-tree.txt which hangs too with no output.
Is there a flag or something that will show the problem why execution takes so long, because manual exections of these commands on target dir finishes in a couple of minutes.
Finished with
14:57:15 Testing the wrapper script by invoking wrapper:wrapper task
14:57:17 Executing '/u01/jenkins/workspace/project/mvnw org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true' in /u01/jenkins/workspace/project
15:43:17 Fallback to executing /u01/jenkins/workspace/project/mvnw dependency:tree -DoutputFile=/tmp/cdxmvn-8qMLXx/mvn-tree.txt
16:28:56
16:28:56 Resolve the above maven error. This could be due to the following:
16:28:56
16:28:56 1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible. Try running cdxgen with the unofficial JDK11-based image `ghcr.io/appthreat/cdxgen-java:v10`.
16:28:56 2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable.
16:28:56 3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool.
16:28:56
Running analysis with /u01/jenkins/workspace/squashfs-root/AppRun --trace-warnings -r -o project-sbom.json
Here is the full log with CDXGEN_DEBUG_MODE=debug
10:37:39 🔵 export CDXGEN_DEBUG_MODE=debug
10:37:39 🔵 /u01/jenkins/workspace/project/debug/project_test-sbom/squashfs-root/AppRun --trace-warnings -r -o ui-sbom.json
10:37:43 cdxgen plugins was not found. Please install with npm install -g @cyclonedx/cdxgen-plugins-bin
10:37:43 Scanning .
10:37:43 Performing babel-based package usage analysis with source code at .
10:37:44 Parsing file /u01/jenkins/workspace/project/debug/project_test-sbom/ui/ui-react-app/pnpm-lock.yaml
10:37:45 Found 1063 npm packages at .
10:37:46 maven settings.xml found in /u01/jenkins/workspace/project/debug/project_test-sbom/ui. Please set the MVN_ARGS environment variable based on the full mvn build command used for this project.
10:37:46 Example: MVN_ARGS='--settings /u01/jenkins/workspace/project/debug/project_test-sbom/ui/settings.xml'
10:37:46 Testing the wrapper script by invoking wrapper:wrapper task
10:37:49 Executing '/u01/jenkins/workspace/project/debug/project_test-sbom/ui/mvnw org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true' in /u01/jenkins/workspace/project/debug/project_test-sbom/ui
11:23:46 Fallback to executing /u01/jenkins/workspace/project/debug/project_test-sbom/ui/mvnw dependency:tree -DoutputFile=/tmp/cdxmvn-fQWT0d/mvn-tree.txt
12:09:31
12:09:31 Resolve the above maven error. This could be due to the following:
12:09:31
12:09:31 1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible. Try running cdxgen with the unofficial JDK11-based image `ghcr.io/appthreat/cdxgen-java:v10`.
12:09:31 2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable.
12:09:31 3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool.
12:09:31
12:09:31 Falling back to parsing pom.xml files. Only direct dependencies would get included!
12:09:31 Testing the wrapper script by invoking wrapper:wrapper task
12:55:04 Maven wrapper script test has failed. Will use the installed version of maven.
12:55:04 Executing '/u01/jenkins/workspace/project/debug/project_test-sbom_tmp/withMaven849d59ca/mvn org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true' in /u01/jenkins/workspace/project/debug/project_test-sbom/ui/ui-serde-api
12:55:04 Testing the wrapper script by invoking wrapper:wrapper task
13:31:03 Cancelling nested steps due to timeout
13:31:03 Sending interrupt signal to process
13:31:04 Maven wrapper script test has failed. Will use the installed version of maven.
13:31:04 Executing '/u01/jenkins/workspace/project/debug/project_test-sbom_tmp/withMaven849d59ca/mvn org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true' in /u01/jenkins/workspace/project/debug/project_test-sbom/ui/ui-e2e-checks
13:31:04 /u01/jenkins/workspace/project/debug/project_test-sbom/ui_tmp/durable-364da2f6/script.sh: line 10: 2061116 Terminated /u01/jenkins/workspace/project/debug/project_test-sbom/squashfs-root/AppRun --trace-warnings -r -o ui-sbom.json
13:31:04 script returned exit code 143
13:31:04 Deleting 1 temporary files
13:31:05 [ОШИБКА] org.jenkinsci.plugins.workflow.steps.FlowInterruptedException
13:31:05 at org.jenkinsci.plugins.workflow.steps.BodyExecution.cancel(BodyExecution.java:59)
13:31:05 at org.jenkinsci.plugins.workflow.steps.TimeoutStepExecution.cancel(TimeoutStepExecution.java:197)
13:31:05 at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:67)
13:31:05 at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
13:31:05 at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
13:31:05 at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
13:31:05 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
13:31:05 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
13:31:05 at java.base/java.lang.Thread.run(Thread.java:833)
13:31:05 Suppressed: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 0226ec47-f56c-40d3-a7c5-c9719f05613c
@vveider I see timeout error at 13:31:03. Can you troubleshoot with a Jenkins DevOps person, since this doesn't appear to be a tool-specific issue?
I can remove timeout, yes, but what takes 3 hours for analysis? And where can I found that Resolve the above maven error. error?
No idea. Can you run this command directly? Also can you share any other mvn command in that Jenkinsfile. There must be more settings and arguments to be passed. mvn org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true
Ok, it finished in 4h 42min. I wrote above that I've already run the command directly and it finishes in mere minutes. Why does cdxgen hides the output of the commands it executes and there is no way of finding out what exactly is it doing? Maybe it is possible to provide some custom build with trace enabled?
Upd: found that it tries to go to the internet: wget --quiet https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip -O /tmp/tmp.JCrma0ijs9/apache-maven-3.6.3-bin.zip while executing mvnw command.
Can you remind please how to pass -s settings.xml to the cdxgen command?
Well, somehow mvnw run from cdxgen ignores every setting and tries to download itself from internet nevertheless there is setting in .mvn/wrapper/maven-wrapper.properties distributionUrl.
Fixed with deleting the mvnw to run on configured mvn.
Yet the problem I think should be considered - there is no real DEBUG mode for cdxgen where any action is logged.
@vveider I actually feel there is too much logging. Have you tried running cdxgen via the node package? I am suspecting may be the environment variable is not getting read or passed through via the AppImage.
@vveider I actually feel there is too much logging. Have you tried running cdxgen via the node package? I am suspecting may be the environment variable is not getting read or passed through via the AppImage.
I've added CDXGEN_DEBUG_MODE=debug to environment so that any new process will honor it - still no additional logs like mvn execution logs or alike.
Maybe there is an example how this setting should work?
Anyway, why not to add ordinary -v (-vv, -vvv, etc.) like every other utility? How does others debug what is going on when executing cdxgen?