Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try harder to catalog maven cache #510

Merged
merged 4 commits into from
Sep 4, 2023
Merged

Try harder to catalog maven cache #510

merged 4 commits into from
Sep 4, 2023

Conversation

prabhu
Copy link
Contributor

@prabhu prabhu commented Aug 31, 2023

Fixes #504

@theold190 could you kindly test with this PR branch?

@prabhu prabhu added Ready for QA help wanted Extra attention is needed labels Aug 31, 2023
@theold190
Copy link

@prabhu I have just tested the code from PR branch.

Now SBOM file contains more components. The ones mentioned in #504 were also included in a result sbom file. So detection of the jar files seems to be improved. Thanks!

Though when I have uploaded SBOM file to Dependency tracker, it failed to provide extra information (ex. latest version, available vulnerabilities) for those newly added components.

I have compared how "guava" is reported in other project (where we could see additional info). Here are some details.

Guava (-t java) Guava (-t maven-cache)
Component name guava org.google.guava
Version 31.1-jre 23.0.0
Namespace / group / vendor com.google.guava p2.osgi.bundle.com.google.guava
Package URL (PURL) pkg:maven/com.google.guava/guava@31.1-jre?type=jar pkg:maven/p2.osgi.bundle.com.google.guava/com.google.guava@23.0.0?type=jar

I guess that is due to PURL information collected by parsing name/path of .jar file instead of using info from .pom/META-INF/.jar.

@prabhu
Copy link
Contributor Author

prabhu commented Aug 31, 2023

@theold190 Let me investigate. I think it must match the id from this file.

https://repo1.maven.org/maven2/com/google/guava/guava/23.0/guava-23.0.pom

@prabhu
Copy link
Contributor Author

prabhu commented Aug 31, 2023
edited
Loading

@theold190, do you have any docs on p2 osgi bundle / p2artifacts.xml? It appears like it has its own namespace which is quite different from the linked guava poms. A sample app with the same plugins from your pom.xml might help.

@theold190
Copy link

theold190 commented Sep 1, 2023
edited
Loading

@prabhu now we are comming to the area where my knowledge are quite limited. So I can't really create an example app that would use an OSGI bundle.

Though here are some details I managed to find:

As I see, JAR packages mentioned before have same SHA as from maven.org. So JAR files themselves are not manipulated/changed. And I would also expect to get same results as from https://repo1.maven.org/maven2/com/google/guava/guava/23.0/guava-23.0.pom

@prabhu
Copy link
Contributor Author

prabhu commented Sep 1, 2023

@theold190, let me read the referenced thread and links! This is super-cool information.

@prabhu prabhu marked this pull request as draft September 1, 2023 12:24
@prabhu prabhu force-pushed the fix/issue-504 branch 2 times, most recently from 31db422 to 9b52200 Compare September 1, 2023 22:14
@prabhu
Copy link
Contributor Author

prabhu commented Sep 1, 2023

@theold190, I have improved the logic to make the group match the value from the maven plugin in maven-cache mode. So you will see the groups such as p2.osgi.bundle, p2.eclipse.plugin. In addition, the qualifier would be set to osgi-bundle, eclipse-plugin. I feel this is the best compromise for this.

@prabhu prabhu marked this pull request as ready for review September 1, 2023 23:07
@prabhu
Try harder to catalog maven cache
0d333de 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
For p2 osgi bundles make the group match the current behavior of the …
100141c 
…maven plugin

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
Update packages
34cd8db 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
Update packages
7746647 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@theold190
Copy link

I see. I can confirm that in results I can see now p2.osgi.bundle group. So now at least SBOM file list those components. That is an improvement.

Unfortunately in Dependency tracker it still doesn't show additional info. And I am not sure Dependency tracker developers would add special handling of ps.osgi.bundle and similar (DependencyTrack/dependency-track#244)

@prabhu
Copy link
Contributor Author

prabhu commented Sep 4, 2023

@theold190 Thank you for the confirmation. I will merge this PR since the jars are no longer missed. For Dependency Track and Maven plugin threads, I will watch them closely and make cdxgen compatible with what gets agreed upon.

As an interim, I can add an alias on the upcoming dep-scan project to support p2 and osgi apps.

@prabhu prabhu merged commit ca87af2 into master Sep 4, 2023
8 checks passed
@prabhu prabhu deleted the fix/issue-504 branch September 4, 2023 10:30
@theold190 theold190 mentioned this pull request Sep 5, 2023
Closed
sebastianvoss pushed a commit to sebastianvoss/cdxgen that referenced this pull request Sep 8, 2023
@prabhu @sebastianvoss
Try harder to catalog maven cache (CycloneDX#510)
14ea655 
* Try harder to catalog maven cache

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* For p2 osgi bundles make the group match the current behavior of the maven plugin

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Update packages

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
help wanted Extra attention is needed Ready for QA
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Maven-cache analysis is missing some Jar files from .m2/repository
2 participants
@prabhu @theold190