Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attribute "dependsOn" empty for parent module in multimodule ci-friendly maven project #263

Closed
asoldo11 opened this issue Jan 23, 2023 · 8 comments · Fixed by #334
Closed

Attribute "dependsOn" empty for parent module in multimodule ci-friendly maven project #263

asoldo11 opened this issue Jan 23, 2023 · 8 comments · Fixed by #334

Comments

@asoldo11
Copy link

asoldo11 commented Jan 23, 2023
edited
Loading

I am using cylonedx-maven-plugin v2.7.4 to generate SBOM, which I upload to DependencyTrack.

I tried creating a bunch of different projects and uploading analysis to the tool, and for every one I tested, I always got appropriate dependency graph.

But for maven ci-friendly multimodule maven project, dependency graph is not generated at all (I just have root node without + sign like on other projects). I tried with several other multimodule maven projects that are not ci-friendly, but for them I get dependency graph.

If I upload analysis for just one maven module inside this "problematic" maven project, I get corresponding dependency graph (I tried this with all modules inside it and all of them produced graph).

I am attaching both SBOMs for parent project and for one module, only replacing some URLs (all PURLs are intact) which are business private. (module_bom.json produces graph, parent_bom.json does not) sboms.zip

The cycloneDX maven plugin is defined in the root pom.xml like this:

<plugin>
  <build>
    <plugins>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.7.4</version>
        <executions>
          <execution>
            <phase>package</phase>
            <goals>
              <goal>makeAggregateBom</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>

Maven CI-friendly adjustment is done exactly like here.

I am running maven goal mvn clean package from root of the project.

Logs for parent project SBOM creation below:

LOG 
11:52:29,032 [INFO] --- cyclonedx-maven-plugin:2.7.4:makeAggregateBom (default) @ ms-starter-parent ---
11:52:29,278 [INFO] CycloneDX: Parameters
11:52:29,281 [INFO] ------------------------------------------------------------------------
11:52:29,287 [INFO] schemaVersion          : 1.4
11:52:29,293 [INFO] includeBomSerialNumber : true
11:52:29,296 [INFO] includeCompileScope    : true
11:52:29,297 [INFO] includeProvidedScope   : true
11:52:29,299 [INFO] includeRuntimeScope    : true
11:52:29,302 [INFO] includeTestScope       : false
11:52:29,304 [INFO] includeSystemScope     : true
11:52:29,306 [INFO] includeLicenseText     : false
11:52:29,309 [INFO] outputFormat           : all
11:52:29,313 [INFO] outputName             : bom
11:52:29,317 [INFO] outputReactorProjects  : true
11:52:29,320 [INFO] ------------------------------------------------------------------------
11:52:41,339 [WARNING] An unexpected issue occurred attempting to resolve the effective pom for  org.xerial.snappy:snappy-java:1.1.7.7
org.apache.maven.project.ProjectBuildingException: Some problems were encountered while processing the POMs:
[ERROR] Unknown packaging: bundle @ line 6, column 16

    at org.apache.maven.project.DefaultProjectBuilder.build (DefaultProjectBuilder.java:207)
    at org.apache.maven.project.DefaultProjectBuilder.build (DefaultProjectBuilder.java:342)
    at org.apache.maven.project.DefaultProjectBuilder.build (DefaultProjectBuilder.java:299)
    at org.cyclonedx.maven.BaseCycloneDxMojo.getEffectiveMavenProject (BaseCycloneDxMojo.java:449)
    at org.cyclonedx.maven.BaseCycloneDxMojo.convert (BaseCycloneDxMojo.java:406)
    at org.cyclonedx.maven.CycloneDxAggregateMojo.analyze (CycloneDxAggregateMojo.java:144)
    at org.cyclonedx.maven.BaseCycloneDxMojo.execute (BaseCycloneDxMojo.java:609)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.model.building.ModelBuildingException: 1 problem was encountered while building the effective model for org.xerial.snappy:snappy-java:1.1.7.7
[ERROR] Unknown packaging: bundle @ line 6, column 16

    at org.apache.maven.model.building.DefaultModelProblemCollector.newModelBuildingException (DefaultModelProblemCollector.java:197)
    at org.apache.maven.model.building.DefaultModelBuilder.build (DefaultModelBuilder.java:498)
    at org.apache.maven.model.building.DefaultModelBuilder.build (DefaultModelBuilder.java:440)
    at org.apache.maven.model.building.DefaultModelBuilder.build (DefaultModelBuilder.java:430)
    at org.apache.maven.project.DefaultProjectBuilder.build (DefaultProjectBuilder.java:173)
    at org.apache.maven.project.DefaultProjectBuilder.build (DefaultProjectBuilder.java:342)
    at org.apache.maven.project.DefaultProjectBuilder.build (DefaultProjectBuilder.java:299)
    at org.cyclonedx.maven.BaseCycloneDxMojo.getEffectiveMavenProject (BaseCycloneDxMojo.java:449)
    at org.cyclonedx.maven.BaseCycloneDxMojo.convert (BaseCycloneDxMojo.java:406)
    at org.cyclonedx.maven.CycloneDxAggregateMojo.analyze (CycloneDxAggregateMojo.java:144)
    at org.cyclonedx.maven.BaseCycloneDxMojo.execute (BaseCycloneDxMojo.java:609)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
11:52:44,904 [INFO] CycloneDX: Creating BOM
11:52:45,997 [INFO] CycloneDX: Writing BOM (XML): C:\test\ms-starter-parent\target\bom.xml
11:52:46,023 [INFO] CycloneDX: Validating BOM (XML): C:\test\ms-starter-parent\target\bom.xml
11:52:46,362 [INFO] CycloneDX: Writing BOM (JSON): C:\test\ms-starter-parent\target\bom.json
11:52:46,367 [INFO] CycloneDX: Validating BOM (JSON): C:\test\ms-starter-parent\target\bom.json

From the data itself, I see that inside dependencies, dependsOn for ref that represents root project with packaging POM is empty:

"dependencies" : [
    {
      "ref" : "pkg:maven/hr.vestigo/ms-starter-parent@1.5.0-SNAPSHOT?type=pom",
      "dependsOn" : [ ]
    }

and for other multimodule maven projects this list contains list of all modules and dependencies.

If I manually fill module references for parent ref and upload such SBOM, graph is than correctly displayed.
@hboutemy
Copy link
Contributor

oh, interesting case: can you share a sample simplified project, so we can reproduce and work on improving?

@asoldo11
Copy link
Author

oh, interesting case: can you share a sample simplified project, so we can reproduce and work on improving?

I'll try to setup something similar and upload it to GH. Will post link to repo afterwards

@asoldo11
Copy link
Author

oh, interesting case: can you share a sample simplified project, so we can reproduce and work on improving?

I created something similar to our real project in GH repo: https://github.com/asoldo11/demo

There are 2 branches:

  1. main - contains Maven CI friendly setup of project which generates empty "dependsOn" for parent module
  2. parent-pom-with-dependencies - "traditional" multimodule maven project which generates appropriate "dependsOn" list for parent module.

If there's anything else I can help, let me know

@asoldo11
Copy link
Author

@hboutemy I also tried to run mvn dependency:tree and see what it produces and got the same result - root node does not have any dependency at all. Results are in section below.

Results 
$ mvn dependency:tree

[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO] 
[INFO] demo                                                               [pom]
[INFO] demo-child-2                                                       [jar]
[INFO] demo-child-1                                                       [jar]
[INFO] 
[INFO] --------------------------< com.example:demo >--------------------------
[INFO] Building demo 0.0.1-SNAPSHOT                                       [1/3]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ demo ---
[INFO] com.example:demo:pom:0.0.1-SNAPSHOT
[INFO] 
[INFO] ----------------------< com.example:demo-child-2 >----------------------
[INFO] Building demo-child-2 0.0.1-SNAPSHOT                               [2/3]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ demo-child-2 ---
[INFO] com.example:demo-child-2:jar:0.0.1-SNAPSHOT
[INFO] \- junit:junit:jar:3.8.1:test
[INFO] 
[INFO] ----------------------< com.example:demo-child-1 >----------------------
[INFO] Building demo-child-1 0.0.1-SNAPSHOT                               [3/3]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ demo-child-1 ---
[INFO] com.example:demo-child-1:jar:0.0.1-SNAPSHOT
[INFO] +- com.example:demo-child-2:jar:0.0.1-SNAPSHOT:compile
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:3.0.2:compile
[INFO]    +- org.springframework.boot:spring-boot-starter:jar:3.0.2:compile
[INFO]    |  +- org.springframework.boot:spring-boot:jar:3.0.2:compile
[INFO]    |  +- org.springframework.boot:spring-boot-autoconfigure:jar:3.0.2:compile
[INFO]    |  +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile
[INFO]    |  +- org.springframework:spring-core:jar:6.0.4:compile
[INFO]    |  |  \- org.springframework:spring-jcl:jar:6.0.4:compile
[INFO]    |  \- org.yaml:snakeyaml:jar:1.33:compile
[INFO]    +- org.springframework.boot:spring-boot-starter-json:jar:3.0.2:compile
[INFO]    |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile
[INFO]    |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.14.1:compile
[INFO]    |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.14.1:compile
[INFO]    |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.14.1:compile
[INFO]    |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.14.1:compile
[INFO]    |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.14.1:compile
[INFO]    +- org.springframework.boot:spring-boot-starter-tomcat:jar:3.0.2:compile
[INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:10.1.5:compile
[INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.5:compile
[INFO]    |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:10.1.5:compile
[INFO]    +- org.springframework:spring-web:jar:6.0.4:compile
[INFO]    |  +- org.springframework:spring-beans:jar:6.0.4:compile
[INFO]    |  \- io.micrometer:micrometer-observation:jar:1.10.3:compile
[INFO]    |     \- io.micrometer:micrometer-commons:jar:1.10.3:compile
[INFO]    \- org.springframework:spring-webmvc:jar:6.0.4:compile
[INFO]       +- org.springframework:spring-aop:jar:6.0.4:compile
[INFO]       +- org.springframework:spring-context:jar:6.0.4:compile
[INFO]       \- org.springframework:spring-expression:jar:6.0.4:compile
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for demo 0.0.1-SNAPSHOT:
[INFO] 
[INFO] demo ............................................... SUCCESS [  1.049 s]
[INFO] demo-child-2 ....................................... SUCCESS [  0.035 s]
[INFO] demo-child-1 ....................................... SUCCESS [  0.093 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.697 s
[INFO] Finished at: 2023-01-25T09:13:31+01:00
[INFO] ------------------------------------------------------------------------

I do not know if this means anything to You or can help You track down what might be the problem.

Also, if You see something in pom.xml problematic and that it can be defined differently, while keeping all relations as is, please let me know so I could test it both on demo and real project.

@hboutemy
Copy link
Contributor

@asoldo11 ok, I can build, then I'll need your help to define very concretely what you get vs what you expect in your example

  1. main: I build with mvn package -Drevision=rev, there are 3 bom.xml and bom.json: which one contains which result that surprises you, and you'd expect which output?
  2. parent-pom-with-dependencies: mvn packagegives which expected output in which bom file?

@asoldo11
Copy link
Author

@hboutemy

  1. main: I build with mvn package -Drevision=rev, there are 3 bom.xml and bom.json: which one contains which result that surprises you, and you'd expect which output?

json in demo/target/bom.json suprises me the most, with following lines:

"dependencies" : [
    {
      "ref" : "pkg:maven/com.example/demo@rev?type=pom",
      "dependsOn" : [ ]
    },

I would expect it to be something like:

"dependencies" : [
    {
      "ref" : "pkg:maven/com.example/demo@rev?type=pom",
      "dependsOn" : [ 
        "pkg:maven/com.example/demo-child-1@rev?type=jar",
        "pkg:maven/com.example/demo-child-2@rev?type=jar"
        ]
    },
  1. parent-pom-with-dependencies: mvn packagegives which expected output in which bom file?

json in demo/target/bom.json produces output that I would expect:

"dependencies" : [
    {
      "ref" : "pkg:maven/com.example/demo@0.0.1-SNAPSHOT?type=pom",
      "dependsOn" : [
        "pkg:maven/com.example/demo-child-2@0.0.1-SNAPSHOT?type=jar",
        "pkg:maven/com.example/demo-child-1@0.0.1-SNAPSHOT?type=jar"
      ]
    },

I always looked only json, but same goes for XMLs in demo/target/bom.xml, on branch main, instead of:

<dependencies>
    <dependency ref="pkg:maven/com.example/demo@rev?type=pom" />

I would expect it to be like this

<dependencies>
    <dependency ref="pkg:maven/com.example/demo@rev?type=pom">
      <dependency ref="pkg:maven/com.example/demo-child-2@rev?type=jar"/>
      <dependency ref="pkg:maven/com.example/demo-child-1@rev?type=jar"/>
    </dependency>

@asoldo11
Copy link
Author

any progress on this one?

hboutemy added a commit that referenced this issue Feb 25, 2023
@hboutemy
add ci-friendly test (failing for now) #263
3a6a1e5 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
@hboutemy
Copy link
Contributor

test added in #292 (failing as expected)

hboutemy added a commit that referenced this issue Feb 28, 2023
@hboutemy
add ci-friendly test (failing for now) #263
a59ee29 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
hboutemy added a commit that referenced this issue Feb 28, 2023
@hboutemy
add ci-friendly test (failing for now) #263
9a05a67 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
hboutemy added a commit that referenced this issue Feb 28, 2023
@hboutemy
add ci-friendly test (failing for now) #263
44c65e2 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
hboutemy added a commit that referenced this issue Mar 9, 2023
@hboutemy
add ci-friendly test (failing for now) #263
0d35a87 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
knrc pushed a commit to knrc/cyclonedx-maven-plugin that referenced this issue Apr 11, 2023
@hboutemy @knrc
add ci-friendly test (failing for now) CycloneDX#263
c0cb1be 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
knrc added a commit to knrc/cyclonedx-maven-plugin that referenced this issue Apr 11, 2023
@knrc
Fix processing of parents defined with properties, fixes CycloneDX#263
a29c17f
knrc pushed a commit to knrc/cyclonedx-maven-plugin that referenced this issue Apr 13, 2023
@hboutemy @knrc
add ci-friendly test (failing for now) CycloneDX#263
c7b7170 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
knrc added a commit to knrc/cyclonedx-maven-plugin that referenced this issue Apr 13, 2023
@knrc
Fix processing of parents defined with properties, fixes CycloneDX#263
faabc7a 
Signed-off-by: Kevin Conner <kev.conner@gmail.com>
@hboutemy hboutemy linked a pull request Apr 13, 2023 that will close this issue
Fix issue #263, handling ci-friendly properties in the parent references #334
Merged
@hboutemy hboutemy mentioned this issue Apr 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix issue #263, handling ci-friendly properties in the parent references knrc/cyclonedx-maven-plugin
2 participants
@hboutemy @asoldo11