Using diff command always produces empty output even if there are changes in SBOM's provided as inputs.

[bharathkolanda]

When i use "cyclonedx diff newBOM.json oldBOM.json > sbomDiff.txt" always produces empty sbomDiff.txt file even if there are differences.

If i use the option --component-versions the i get an "Unhandled exception: System.ArgumentNullException: Value cannot be null. (Parameter 'collection')"

When i tried to convert json to xml, conversion succeeds but the converted xml file is empty.

[andreas-hilti]

@bharathkolanda Can you please attach your BOM files (or samples) such that we can reproduce your issue?

[bharathkolanda]

@andreas-hilti : Please find the details below
existing-bom.json
standard-bom.json
sbomDiff.txt

And my ci pipeline looks as below
sbom-diff:
stage: check-sbom

needs:

- scp-codescanner-check

image:
name: cyclonedx/cyclonedx-cli:latest@sha256:269b82d4346362cbd2b1830bceece5e8a7e00921fa26ebba1c9e7291ea772be0
entrypoint: [""]
script:
- newSBOM=$(find . -iname standard-bom.json)
- oldSBOM=$(find . -iname existing-bom.json)
- cyclonedx diff $newSBOM $oldSBOM --output-format text > sbomDiff.txt
#- cat sbomDiff.txt
#- exit $(grep ^[+-] sbomDiff.txt | wc -l)
artifacts:
when: always
paths:
- sbomDiff.txt
- .//standard-bom.json
- .//existing-bom.json

[andreas-hilti]

@bharathkolanda The two files are not valid cyclonedx BOM files. I think you need to specify the correct output file format when generating the BOMs (maybe --cyclonedx).