The tool fails to generator CycloneDX output

[algomaster99]

Description

Please leave a brief description of the bug or feature request:

Hi! Thanks for the tool! I tried running it for https://github.com/INRIA/spoon, however, it fails with an exception.

How To Reproduce

Tell us how to reproduce the issue.

scancode  --cyclonedx sbom.json -clpeui --max-depth 5 .

Stacktrace

Scan files for: info, licenses, copyrights, packages, emails, urls with 1 process(es)...
[####################] 1918                                                                     
ERROR: failed to run output plugin: cyclonedx:
Traceback (most recent call last):
  File "/home/aman/.local/share/virtualenvs/sc-T-m2ua_0/lib/python3.10/site-packages/scancode/cli.py", line 1077, in run_codebase_plugins
    plugin.process_codebase(codebase, **kwargs)
  File "/home/aman/.local/share/virtualenvs/sc-T-m2ua_0/lib/python3.10/site-packages/formattedcode/output_cyclonedx.py", line 794, in process_codebase
    bom = CycloneDxBom.from_codebase(codebase)
  File "/home/aman/.local/share/virtualenvs/sc-T-m2ua_0/lib/python3.10/site-packages/formattedcode/output_cyclonedx.py", line 681, in from_codebase
    components = list(CycloneDxComponent.from_packages(packages))
  File "/home/aman/.local/share/virtualenvs/sc-T-m2ua_0/lib/python3.10/site-packages/formattedcode/output_cyclonedx.py", line 339, in from_packages
    base_component.merge(other_component)
  File "/home/aman/.local/share/virtualenvs/sc-T-m2ua_0/lib/python3.10/site-packages/formattedcode/output_cyclonedx.py", line 375, in merge
    merge_lists(self.externalReferences, other.externalReferences)
  File "/home/aman/.local/share/virtualenvs/sc-T-m2ua_0/lib/python3.10/site-packages/formattedcode/output_cyclonedx.py", line 431, in merge_lists
    seen = set(x)
TypeError: unhashable type: 'CycloneDxExternalRef'

System configuration

For bug reports, it really helps us to know:

• What OS are you running on? Linux
• What version of scancode-toolkit was used to generate the scan file?

   ScanCode version: 31.2.6
   ScanCode Output Format version: 2.0.0
   SPDX License list version: 3.18
  

• What installation method was used to install/run scancode? pip

[AyanSinhaMahapatra]

I think this was reported at #3016 and fixed in #3189 and this is available in scancode-toolkit v32 releases, can you try running the same scan with a v32 scancode and report if the same happens there too?

[algomaster99]

v32 scancode

Where can I find a stable binary? I looked for it on pip and Github releases.

[AyanSinhaMahapatra]

https://github.com/nexB/scancode-toolkit/releases/tag/v32.0.0rc4
https://pypi.org/project/scancode-toolkit/32.0.0rc4/

Note that these are set as pre-release or release candidates so they don't appear directly in https://pypi.org/project/scancode-toolkit/ or https://github.com/nexB/scancode-toolkit/releases/latest, but you have to look at https://github.com/nexB/scancode-toolkit/releases and https://pypi.org/project/scancode-toolkit/#history you can see them

[algomaster99]

I can give it a try tomorrow. Thank you!

[algomaster99]

Thanks! It works in https://github.com/nexB/scancode-toolkit/releases/tag/v32.0.0rc4. However, I have one suggestion for your tool. You can consider upgrading to CycloneDX 1.4 as it is the latest version of the standard.

[AyanSinhaMahapatra]

@algomaster99 thanks! The issue of supporting cyclonedx 1.4 is tracked here: #2987