cli errors out on Fedora 42 and Ubuntu 24.04 on certain .NET projects

[sirredbeard]

Steps to reproduce:

1. Install Fedora 42
2. Install Node with sudo dnf install nodejs
3. Install cli with sudo npm install -g @herodevs/cli@beta
4. Go to project folder, e.g. git clone https://github.com/dotnet/runtime --depth 1 --branch v6.0.3 && cd runtime
5. Run hd scan eol

Expected results:

Get an SBOM

Actual results:

hayden@WDK2023:~/runtime$ hd scan eol
⠋ Generating SBOM*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.

....

✔ Generated SBOM
✖ Scanning failed
 ›   Error: Failed to submit scan to NES. insert into "reports"."result" ("heuristics", "metadata", "purl_id",
 ›   "scan_id") values ($1, $2, $3, $4), ($5, $6, $7, $8), ($9, $10, $11, $12), ($13, $14, $15, $16), ($17, $18, $19,
 ›   $20), ($21, $22, $23, $24), ($25, $26, $27, $28), ($29, $30, $31, $32), ($33, $34, $35, $36), ($37, $38, $39,
 ›   $40), ($41, $42, $43, $44), ($45, $46, $47, $48), ($49, $50, $51, $52), ($53, $54, $55, $56), ($57, $58, $59,
 ›   $60), ($61, $62, $63, $64), ($65, $66, $67, $68), ($69, $70, $71, $72), ($73, $74, $75, $76), ($77, $78, $79,
 ›   $80), ($81, $82, $83, $84), ($85, $86, $87, $88), ($89, $90, $91, $92), ($93, $94, $95, $96), ($97, $98, $99,
 ›   $100), ($101, $102, $103, $104), ($105, $106, $107, $108), ($109, $110, $111, $112), ($113, $114, $115, $116),
 
...

 ›   $30411, $30412), ($30413, $30414, $30415, $30416), ($30417, $30418, $30419, $30420), ($30421, $30422, $30423,
 ›   $30424), ($30425, $30426, $30427, $30428) returning "purl_id", "metadata" - duplicate key value violates unique
 ›   constraint "result_scan_id_purl_id_key"

[sirredbeard]

$ node --version
v22.18.0
$ hd --version
@herodevs/cli/2.0.0-beta.8 wsl-arm64 node-v22.18.0

[sirredbeard]

On clean Ubuntu 24.04 image:

sudo apt update && sudo apt upgrade -y && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash &&  source ~/.bashrc && nvm install 20
git clone https://github.com/herodevs/cli/ && cd cli
npm run build && npm install -g .
cd ~ && git clone https://github.com/dotnet/runtime --depth 1 --branch v6.0.3 && cd runtime
hd-cli scan eol --dir .

Still getting:

⠋ Generating SBOM*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
...
✔ Generated SBOM
✖ Scanning failed
 ›   Error: Failed to submit scan to NES. insert into "reports"."result" ("heuristics", "metadata", "purl_id",
 ›   "scan_id") values ($1, $2, $3, $4), ($5, $6, $7, $8), ($9, $10, $11, $12), ($13, $14, $15, $16), ($17, $18, $19,
 ›   $20), ($21, $22, $23, $24), ($25, $26, $27, $28), ($29, $30, $31, $32), ($33, $34, $35, $36), ($37, $38, $39,
...
 ›   $30411, $30412), ($30413, $30414, $30415, $30416), ($30417, $30418, $30419, $30420) returning "purl_id",
 ›   "metadata" - duplicate key value violates unique constraint "result_scan_id_purl_id_key"

Note that I had to change bin in package.json from hd to hd-cli because hd conflicts with hd the hexdump tool on Ubuntu.

[sirredbeard]

Ran $ hd scan eol --save --saveSbom

Attached all output:

complete log of run.txt

I don't see an SBOM saved:

$ ls
build.cmd           CONTRIBUTING.md           docs        global.json   README.md
Build.proj          Directory.Build.props     dotnet.cmd  LICENSE.TXT   SECURITY.md
build.sh            Directory.Build.targets   dotnet.sh   NuGet.config  src
CODE-OF-CONDUCT.md  Directory.Solution.props  eng         PATENTS.TXT   THIRD-PARTY-NOTICES.TXT

[sirredbeard]

This issue appears when running the cli on the .NET runtime repo, which I just randomly picked because I had it available.

Something about the .NET runtime repo may be an edge case here.

When I run the cli on a more basic .NET project, like PowerToys, cli works fine:

hayden@WDK2023:~$ git clone https://github.com/microsoft/PowerToys --depth 1
Cloning into 'PowerToys'...
remote: Enumerating objects: 7132, done.
remote: Counting objects: 100% (7132/7132), done.
remote: Compressing objects: 100% (5500/5500), done.
remote: Total 7132 (delta 2409), reused 3861 (delta 1335), pack-reused 0 (from 0)
Receiving objects: 100% (7132/7132), 99.06 MiB | 27.97 MiB/s, done.
Resolving deltas: 100% (2409/2409), done.
Updating files: 100% (6554/6554), done.
hayden@WDK2023:~$ cd PowerToys/
hayden@WDK2023:~/PowerToys$ hd scan eol
✔ Generated SBOM
✔ Scan completed
Scan results:
----------------------------------------
280 total packages scanned
✗ 1     End-of-Life (EOL)
! 0     EOL Upcoming
✔ 3     Not End-of-Life (EOL)
• 276   Unknown EOL Status
• 0     HeroDevs NES Remediations Available
----------------------------------------
🌐 View your full EOL report at: apps.herodevs.com

* Use --json to output the report payload
* Use --save to save the report to herodevs.report.json
* Use --help for more commands or options
hayden@WDK2023:~/PowerToys$

[sirredbeard]

Trying again with 2.0.0-beta.9:

hayden@WDK2023:~/runtime$ hd --version
@herodevs/cli/2.0.0-beta.9 wsl-arm64 node-v22.18.0
hayden@WDK2023:~/runtime$ node --version
v22.18.0
hayden@WDK2023:~/runtime$ hd scan eol --saveSbom
⠋ Generating SBOM*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
...

✔ Generated SBOM
SBOM saved to /home/hayden/runtime/herodevs.sbom.json
✖ Scanning failed
 ›   Error: Failed to submit scan to NES. Internal server error

herodevs.sbom.json

[sirredbeard]

Running dotnet restore before running $ hd scan eol --save --saveSbom still produces similar output:

$ hd scan eol --save --saveSbom
⠋ Generating SBOM*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
*** Found system packages without a version ***
Global Assembly Cache (GAC) dependencies must be included in the project's build output for version detection. Please follow the instructions in the README: https://github.com/CycloneDX/cdxgen?tab=readme-ov-file#including-net-global-assembly-cache-dependencies-in-the-results.
...
✔ Generated SBOM
SBOM saved to /home/hayden/runtime/herodevs.sbom.json
✖ Scanning failed
 ›   Error: Failed to submit scan to NES. Internal server error

[sunshastry]

Components derived from SBOM

components.txt