-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import transitive dependencies from SBOMs if available #497
Comments
@ppkarwasz Thanks for creating this issue. I had a similar idea that I discussed with @hboutemy in CycloneDX Slack, but I failed to provide him with concrete examples. Is it possible for you or anyone else (Cc: @raboof , @prabhu, @lfrancke, @stevespringett ) interested in this feature to provide some concrete examples? |
Examples of where this would be useful? |
In many cases shaded artifacts are the final product and are not consumed by other Java artifacts. There are however valid (or at least justified) cases, when a library shades another and often repackages it (in the sense that it changes the names of Java packages):
I consider SBOMs as an build tool and language independent way to expose a project's dependencies. It would be useful to use them to complement Maven's simplified dependency system, e.g. regarding conflicts. |
As scenario: Imagine:
When running the vulnerability scanner, it should identify that
So the choice is between going implementing this in all vulnerability scanners (first approach), or implementing this in all SBOM generators (including |
For cases like these, we need to go beyond the package names to a vulnerability database that offer affected modules, imports, symbols, etc, which doesn't exist in the open-source world. When running cdxgen with |
to the examples of shaded content shared previously, I'd add one typical case: in the same gav, there are both the initial .jar and one shaded one, like https://repo1.maven.org/maven2/org/apache/maven/wagon/wagon-http/3.5.3/ on this case, what should THE sbom contain to describe the 2 different jars? how would a project consuming one of these jars as a dependency know what to use? Additional question: as wagon project is a multi-module build, what about the aggregate SBOM vs the gav-only ones? And this question about aggregated is valid both from a producer perspective (wagon) and a consumer perspective (a project consuming one artifact of wagon)? has really cyclonedx-maven-plugin a chance to magically detect different case without user deep configuration? How many additional files will have the plugin to download to do the advanced analysis? notice: is this specific to the java world or do other ecosystems have such cases? there are serious deep dives discussion to have to get the whole picture |
Even though those are in the same gav, shouldn't we treat those jars as different artifacts and thus create different SBOMs for them?
Indeed! |
I think that the SBOM should describe all the artifacts sharing the same GAV (at least the binary ones). A complex example,
BTW: I think that if VEX-es become compulsory, developers will think twice before publishing this kind of assemblies. |
Some Maven libraries publish shaded artifacts that contain many if not all their dependencies.
Since it is impossible to guess which artifacts were shaded from the POM file alone, the CycloneDX plugin should try to use the CycloneDX SBOMs of their dependencies, if available.
This feature request is related to #472 .
The text was updated successfully, but these errors were encountered: