Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve SBOMs #580

Open
1 of 3 tasks
Tracked by #345
lfrancke opened this issue May 13, 2024 · 3 comments
Open
1 of 3 tasks
Tracked by #345

Improve SBOMs #580

lfrancke opened this issue May 13, 2024 · 3 comments

Comments

@lfrancke
Copy link
Member

lfrancke commented May 13, 2024
edited by dervoeti
Loading

Tasks
Preview Give feedback
@lfrancke lfrancke mentioned this issue May 13, 2024
Open
@dervoeti
Copy link
Member

Just as a note for later:
In general, I think the "correct" way to create an SBOM would be to create it during the build, not afterwards (as we do right now with Syft). Some problems might arise when doing this though. For example, Hbase pulls in jackson-databind:2.4.0 via htrace-core4 which seems to be an uber JAR containing jackson-databind:2.4.0 as shaded dependency. I can't find information about the jackson-databind:2.4.0 dependency with Maven (via dependency:tree or cyclonedx-maven-plugin), while tools that analyze the built artifact (like Syft or ScanCode) are able to detect it. So the "reverse analyzed SBOM" might still be the most pragmatic solution. Or we find a way to obtain that information before/during the build.

@lfrancke
Copy link
Member Author

lfrancke commented May 29, 2024
edited
Loading

This particular bit of information just gets lost and never recorded anywhere during building and publishing to Nexus.
I'm afraid the best option (as stupid as it sounds) is to do the scan afterwards. It at least recovers some information and I believe we have to live with the fact that perfect SBOMs for the Java ecosystem will be impossible/hard to do for the forseeable future.

@dervoeti
Copy link
Member

dervoeti commented Aug 6, 2024

Update: Our solution for this will likely be to merge the information of both approaches. We use a custom tool to merge the information during the build (generated with tools like cyclonedx-maven-plugin) with the information obtained from the scan of the built artifact (generated by Syft). The extra information we gain from this, compared to our current SBOMs, is the whole dependency tree plus maybe some components that can not be detected after the build.
This issue in progress as part of #614, since these improved SBOMs are the way we want to get this extra information into SecObserve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lfrancke @dervoeti