-
-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Try harder to catalog maven cache #510
Conversation
@prabhu I have just tested the code from PR branch. Now SBOM file contains more components. The ones mentioned in #504 were also included in a result sbom file. So detection of the jar files seems to be improved. Thanks! Though when I have uploaded SBOM file to Dependency tracker, it failed to provide extra information (ex. latest version, available vulnerabilities) for those newly added components. I have compared how "guava" is reported in other project (where we could see additional info). Here are some details.
I guess that is due to PURL information collected by parsing name/path of .jar file instead of using info from .pom/META-INF/.jar. |
@theold190 Let me investigate. I think it must match the id from this file. https://repo1.maven.org/maven2/com/google/guava/guava/23.0/guava-23.0.pom |
@theold190, do you have any docs on p2 osgi bundle / p2artifacts.xml? It appears like it has its own namespace which is quite different from the linked guava poms. A sample app with the same plugins from your pom.xml might help. |
@prabhu now we are comming to the area where my knowledge are quite limited. So I can't really create an example app that would use an OSGI bundle. Though here are some details I managed to find:
As I see, JAR packages mentioned before have same SHA as from maven.org. So JAR files themselves are not manipulated/changed. And I would also expect to get same results as from https://repo1.maven.org/maven2/com/google/guava/guava/23.0/guava-23.0.pom |
@theold190, let me read the referenced thread and links! This is super-cool information. |
31db422
to
9b52200
Compare
@theold190, I have improved the logic to make the group match the value from the maven plugin in |
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
…maven plugin Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
ca6fcfd
to
7746647
Compare
I see. I can confirm that in results I can see now p2.osgi.bundle group. So now at least SBOM file list those components. That is an improvement. Unfortunately in Dependency tracker it still doesn't show additional info. And I am not sure Dependency tracker developers would add special handling of ps.osgi.bundle and similar (DependencyTrack/dependency-track#244) |
@theold190 Thank you for the confirmation. I will merge this PR since the jars are no longer missed. For Dependency Track and Maven plugin threads, I will watch them closely and make cdxgen compatible with what gets agreed upon. As an interim, I can add an alias on the upcoming dep-scan project to support p2 and osgi apps. |
* Try harder to catalog maven cache Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * For p2 osgi bundles make the group match the current behavior of the maven plugin Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Update packages Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Fixes #504
@theold190 could you kindly test with this PR branch?