-
-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dependencies concealed during BOM creation, aligning more closely with the dependency graph #256
Conversation
b953d12
to
0dc02a0
Compare
@knrc I'm testing with WebGoat 8.0.0 and noticed that, with this PR, I'm missing some components. The components that's I'm missing are: {
"group" : "com.google.guava",
"name" : "guava",
"version" : "25.0-jre",
"description" : "Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.",
"hashes" : [...],
"licenses" : [...],
"purl" : "pkg:maven/com.google.guava/guava@25.0-jre?type=jar",
"externalReferences" : [...],
"type" : "library",
"bom-ref" : "pkg:maven/com.google.guava/guava@25.0-jre?type=jar"
},
{
"group" : "com.google.code.findbugs",
"name" : "jsr305",
"version" : "1.3.9",
"description" : "JSR305 Annotations for Findbugs",
"hashes" : [...],
"licenses" : [...],
"purl" : "pkg:maven/com.google.code.findbugs/jsr305@1.3.9?type=jar",
"externalReferences" : [...],
"type" : "library",
"bom-ref" : "pkg:maven/com.google.code.findbugs/jsr305@1.3.9?type=jar"
},
{
"group" : "org.checkerframework",
"name" : "checker-compat-qual",
"version" : "2.0.0",
"description" : "Checker Qual is the set of annotations (qualifiers) and supporting classes used by the Checker Framework to type check Java source code. Please see artifact: org.checkerframework:checker",
"hashes" : [...],
"licenses" : [...],
"purl" : "pkg:maven/org.checkerframework/checker-compat-qual@2.0.0?type=jar",
"externalReferences" : [...],
"type" : "library",
"bom-ref" : "pkg:maven/org.checkerframework/checker-compat-qual@2.0.0?type=jar"
},
{
"group" : "com.google.errorprone",
"name" : "error_prone_annotations",
"version" : "2.1.3",
"description" : "Sonatype helps open source projects to set up Maven repositories on https://oss.sonatype.org/",
"hashes" : [...],
"licenses" : [...],
"purl" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.1.3?type=jar",
"externalReferences" : [...],
"type" : "library",
"bom-ref" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.1.3?type=jar"
},
{
"group" : "com.google.j2objc",
"name" : "j2objc-annotations",
"version" : "1.1",
"description" : "A set of annotations that provide additional information to the J2ObjC translator to modify the result of translation.",
"hashes" : [...],
"licenses" : [...],
"purl" : "pkg:maven/com.google.j2objc/j2objc-annotations@1.1?type=jar",
"externalReferences" : [...],
"type" : "library",
"bom-ref" : "pkg:maven/com.google.j2objc/j2objc-annotations@1.1?type=jar"
},
{
"publisher" : "Codehaus",
"group" : "org.codehaus.mojo",
"name" : "animal-sniffer-annotations",
"version" : "1.14",
"description" : "Animal Sniffer Parent project.",
"hashes" : [...],
"licenses" : [...],
"purl" : "pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.14?type=jar",
"externalReferences" : [...],
"type" : "library",
"bom-ref" : "pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.14?type=jar"
},
{
"publisher" : "The Apache Software Foundation",
"group" : "commons-io",
"name" : "commons-io",
"version" : "2.8.0",
"description" : "The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.",
"hashes" : [...],
"licenses" : [...],
"purl" : "pkg:maven/commons-io/commons-io@2.8.0?type=jar",
"externalReferences" : [...],
"type" : "library",
"bom-ref" : "pkg:maven/commons-io/commons-io@2.8.0?type=jar"
} Some of these make sense, but its interesting that |
...
I will take a look today, I can hazard a guess as to why but will verify. |
0dc02a0
to
4e0d962
Compare
IIUC, it is not about a component being missed from the resulting BOM components list = https://cyclonedx.org/docs/1.4/json/#components And this is because Maven overriding rules during dependencies resolution only tries to catch what effective version of a library will be kept (then intentionally omit versions that are overridden), while SBOM dependencies try to catch all relations to the library, even in case of version overriding nice subtle difference between Maven dependency tree (focused on resolution) and SBOM dependency relationships on cases like:
I think this will impact the terms we should use in code and messages to describe the situation, to match terms used by dependency:tree (like "omitted for duplicate"), to have a chance to keep an understanding of the CycloneDX dependencies algorithm vs the Maven dependency tree resolution |
@hboutemy There are a couple of issues, but the largest is definitely dependencies which are missing from the graph. |
71b7a4d
to
4641333
Compare
Signed-off-by: Kevin Conner <kev.conner@gmail.com>
Signed-off-by: Kevin Conner <kev.conner@gmail.com>
…ypes and their transitive dependencies if not referenced elsewhere Signed-off-by: Kevin Conner <kev.conner@gmail.com>
… updated to match the resolved version in the component list Signed-off-by: Kevin Conner <kev.conner@gmail.com>
Signed-off-by: Kevin Conner <kev.conner@gmail.com>
Signed-off-by: Kevin Conner <kev.conner@gmail.com>
4641333
to
56857a8
Compare
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
Trustification pr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This PR addresses the issues discussed in this article, I'm opening this as a forum for discussion.