Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] SBOM generation does not find right purl with wordpress composer installation #324

Closed
fakeNews-jpg opened this issue Mar 1, 2023 · 7 comments
Closed

[BUG] SBOM generation does not find right purl with wordpress composer installation #324

fakeNews-jpg opened this issue Mar 1, 2023 · 7 comments
Labels
bug Something isn't working

Comments

@fakeNews-jpg
Copy link

Describe the bug

When installing wordpress with composer and then generating sbom with this tool, dependency track does not find any vulnerability.

To Reproduce

You might use this composer.json:

{
  "name": "coucou/cava",
  "description": "coucou.fr",
  "keywords": [
    "wordpress", "composer"
  ],
  "version": "1.0.0",
  "license": "",
  "authors": [
    {
      "name": "coucou",
      "homepage": "https://coucou.fr/"
    }
  ],
  "type": "post",
  "require": {
    "composer/installers": "~1.0",
    "wordpress/wordpress": "5.3.2",
    "koodimonni-language/core-fr_fr": "*",
    "wpackagist-plugin/child-theme-configurator": "^2.6.0",
    "wpackagist-plugin/duplicate-page": "^4.5.1",
    "wpackagist-plugin/elementor": "3.6.2",
    "wpackagist-plugin/matomo": "^4.13.5",
    "wpackagist-plugin/royal-elementor-addons": "^1.3.65",
    "wpackagist-plugin/premium-addons-for-elementor": "^4.9.50"
  },
  "repositories": [
    {
      "type": "composer",
      "url": "https://wpackagist.org"
    },
    {
      "type": "package",
      "package": {
        "name": "wordpress/wordpress",
        "type": "webroot",
        "version": "5.3.2",
        "source": {
          "url": "https://github.com/WordPress/WordPress.git",
          "type": "git",
          "reference": "5.3.2"
        },
        "require": {
          "fancyguy/webroot-installer": "^1.0.0"
        }
      }
    },
    {
      "type": "composer",
      "url": "https://wp-languages.github.io"
    }
  ],
  "config": {
    "vendor-dir": "htdocs/wp-content/vendor"
  },
  "extra": {
    "installer-paths": {
      "htdocs/wp-content/plugins/{$name}/": [
        "type:wordpress-plugin"
      ],
      "htdocs/wp-content/themes/{$name}/": [
        "type:wordpress-theme"
      ]
    },
    "webroot-dir": "htdocs/wp",
    "webroot-package": "wordpress/wordpress",
    "wordpress-install-dir": "htdocs/wp",
    "dropin-paths": {
      "htdocs/wp-content/languages/": [
        "vendor:koodimonni-language"
      ],
      "htdocs/wp-content/languages/plugins/": [
        "vendor:koodimonni-plugin-language"
      ],
      "htdocs/wp-content/languages/themes/": [
        "vendor:koodimonni-theme-language"
      ]
    }
  }
}

Expected behavior

At least, wordpress and elementor are outdated and vulnerable to public known vulnerabilities

Screenshots or output-paste

Environment

  • cyclonedx-php-composer version: latest version
  • Composer version: latest version
  • PHP version: latest version
  • OS: debian 11

Additional context

Add any other context about the problem here.
@fakeNews-jpg fakeNews-jpg added the bug Something isn't working label Mar 1, 2023
@jkowalleck
Copy link
Member

Thanks for the report, @fakeNews-jpg

you described the bug as

When installing wordpress with composer and then generating sbom with this tool, dependency track does not find any vulnerability.

you wrote the expected behaviour to be

At least, wordpress and elementor are outdated and vulnerable to public known vulnerabilities

You are reporting an issue to an SBOM generator. A generator that does not do vulnerability scanning nor analysis.
Therefore, I do not understand your problem.

Could you edit your post and add the correct information to the section "Environment"?
Could you provide the generated SBOM that seems insufficient to you? Could you describe what appears to be your problem?

@fakeNews-jpg
Copy link
Author

Thanks for your answer @jkowalleck ,

Here is the generated sbom :

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
  <metadata>
    <tools>
      <tool>
        <vendor><![CDATA[cyclonedx]]></vendor>
        <name><![CDATA[cyclonedx-php-composer]]></name>
        <version><![CDATA[3.11.0]]></version>
      </tool>
    </tools>
    <component type="library" bom-ref="pkg:composer/coucou/cava@1.0.0">
      <group><![CDATA[coucou]]></group>
      <name><![CDATA[cava]]></name>
      <version><![CDATA[1.0.0]]></version>
      <description><![CDATA[coucou.fr]]></description>
      <purl><![CDATA[pkg:composer/gpsea/festivaldulivredecreteil@1.0.0]]></purl>
    </component>
  </metadata>
  <components>
    <component type="application" bom-ref="pkg:composer/composer/installers@1.12.0">
      <group><![CDATA[composer]]></group>
      <name><![CDATA[installers]]></name>
      <version><![CDATA[1.12.0]]></version>
      <description><![CDATA[A multi-framework Composer library installer]]></description>
      <licenses>
        <license>
          <id><![CDATA[MIT]]></id>
        </license>
      </licenses>
      <purl><![CDATA[pkg:composer/composer/installers@1.12.0]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://github.com/composer/installers.git]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=git & reference=d20a64ed3c94748397ff5973488761b22f6d3f19)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://api.github.com/repos/composer/installers/zipball/d20a64ed3c94748397ff5973488761b22f6d3f19]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=d20a64ed3c94748397ff5973488761b22f6d3f19 & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://composer.github.io/installers/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
        <reference type="issue-tracker">
          <url><![CDATA[https://github.com/composer/installers/issues]]></url>
          <comment><![CDATA[As set via `support.issues` in composer package definition.]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://github.com/composer/installers/tree/v1.12.0]]></url>
          <comment><![CDATA[As set via `support.source` in composer package definition.]]></comment>
        </reference>
        <reference type="other">
          <url><![CDATA[https://packagist.com]]></url>
          <comment><![CDATA[As set via `funding` in composer package definition. (type=custom)]]></comment>
        </reference>
        <reference type="other">
          <url><![CDATA[https://github.com/composer]]></url>
          <comment><![CDATA[As set via `funding` in composer package definition. (type=github)]]></comment>
        </reference>
        <reference type="other">
          <url><![CDATA[https://tidelift.com/funding/github/packagist/composer/composer]]></url>
          <comment><![CDATA[As set via `funding` in composer package definition. (type=tidelift)]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/fancyguy/webroot-installer@1.1.0">
      <group><![CDATA[fancyguy]]></group>
      <name><![CDATA[webroot-installer]]></name>
      <version><![CDATA[1.1.0]]></version>
      <description><![CDATA[A composer installer for libraries that live in an application webroot.]]></description>
      <licenses>
        <license>
          <id><![CDATA[BSD-3-Clause]]></id>
        </license>
      </licenses>
      <purl><![CDATA[pkg:composer/fancyguy/webroot-installer@1.1.0]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://github.com/fancyguy/webroot-installer.git]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=git & reference=a2d5c2e149d837e5580a62a91d3c91577aa30d28)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://api.github.com/repos/fancyguy/webroot-installer/zipball/a2d5c2e149d837e5580a62a91d3c91577aa30d28]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=a2d5c2e149d837e5580a62a91d3c91577aa30d28 & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[http://fancyguy.github.com/webroot-installer/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
        <reference type="issue-tracker">
          <url><![CDATA[https://github.com/fancyguy/webroot-installer/issues]]></url>
          <comment><![CDATA[As set via `support.issues` in composer package definition.]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://github.com/fancyguy/webroot-installer/tree/master]]></url>
          <comment><![CDATA[As set via `support.source` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/koodimonni-language/core-fr_fr@6.1.1">
      <group><![CDATA[koodimonni-language]]></group>
      <name><![CDATA[core-fr_fr]]></name>
      <version><![CDATA[6.1.1]]></version>
      <description><![CDATA[WordPress core translations for French (France) - fr_fr]]></description>
      <purl><![CDATA[pkg:composer/koodimonni-language/core-fr_fr@6.1.1]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/translation/core/6.1.1/fr_FR.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="application" bom-ref="pkg:composer/koodimonni/composer-dropin-installer@1.4">
      <group><![CDATA[koodimonni]]></group>
      <name><![CDATA[composer-dropin-installer]]></name>
      <version><![CDATA[1.4]]></version>
      <description><![CDATA[Install packages or a few files from packages into custom paths without overwriting existing stuff.]]></description>
      <licenses>
        <license>
          <id><![CDATA[WTFPL]]></id>
        </license>
      </licenses>
      <purl><![CDATA[pkg:composer/koodimonni/composer-dropin-installer@1.4]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://github.com/Koodimonni/Composer-Dropin-Installer.git]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=git & reference=9596ef8f50cbba2cdc707ca3b1f5e4a0e9fa7e7e)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://api.github.com/repos/Koodimonni/Composer-Dropin-Installer/zipball/9596ef8f50cbba2cdc707ca3b1f5e4a0e9fa7e7e]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=9596ef8f50cbba2cdc707ca3b1f5e4a0e9fa7e7e & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="issue-tracker">
          <url><![CDATA[https://github.com/Koodimonni/Composer-Dropin-Installer/issues]]></url>
          <comment><![CDATA[As set via `support.issues` in composer package definition.]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://github.com/Koodimonni/Composer-Dropin-Installer/tree/1.4]]></url>
          <comment><![CDATA[As set via `support.source` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wordpress/wordpress@5.3.2">
      <group><![CDATA[wordpress]]></group>
      <name><![CDATA[wordpress]]></name>
      <version><![CDATA[5.3.2]]></version>
      <purl><![CDATA[pkg:composer/wordpress/wordpress@5.3.2]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://github.com/WordPress/WordPress.git]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=git & reference=5.3.2)]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/child-theme-configurator@2.6.0">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[child-theme-configurator]]></name>
      <version><![CDATA[2.6.0]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/child-theme-configurator@2.6.0]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/child-theme-configurator/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/2.6.0)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/child-theme-configurator.2.6.0.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/child-theme-configurator/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/duplicate-page@4.5.1">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[duplicate-page]]></name>
      <version><![CDATA[4.5.1]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/duplicate-page@4.5.1]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/duplicate-page/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=trunk)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/duplicate-page.zip?timestamp=1675851876]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/duplicate-page/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/elementor@3.6.2">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[elementor]]></name>
      <version><![CDATA[3.6.2]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/elementor@3.6.2]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/elementor/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/3.6.2)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/elementor.3.6.2.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/elementor/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/matomo@4.13.5">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[matomo]]></name>
      <version><![CDATA[4.13.5]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/matomo@4.13.5]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/matomo/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/4.13.5)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/matomo.4.13.5.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/matomo/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/premium-addons-for-elementor@4.9.50">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[premium-addons-for-elementor]]></name>
      <version><![CDATA[4.9.50]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/premium-addons-for-elementor@4.9.50]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/premium-addons-for-elementor/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/4.9.50)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/premium-addons-for-elementor.4.9.50.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/premium-addons-for-elementor/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
    <component type="library" bom-ref="pkg:composer/wpackagist-plugin/royal-elementor-addons@1.3.65">
      <group><![CDATA[wpackagist-plugin]]></group>
      <name><![CDATA[royal-elementor-addons]]></name>
      <version><![CDATA[1.3.65]]></version>
      <purl><![CDATA[pkg:composer/wpackagist-plugin/royal-elementor-addons@1.3.65]]></purl>
      <externalReferences>
        <reference type="distribution">
          <url><![CDATA[https://plugins.svn.wordpress.org/royal-elementor-addons/]]></url>
          <comment><![CDATA[As detected by composer's `getSourceUrls()` (type=svn & reference=tags/1.3.65)]]></comment>
        </reference>
        <reference type="distribution">
          <url><![CDATA[https://downloads.wordpress.org/plugin/royal-elementor-addons.1.3.65.zip]]></url>
          <comment><![CDATA[As detected by composer's `getDistUrls()` (type=zip & reference=UNDEFINED & sha1=UNDEFINED)]]></comment>
        </reference>
        <reference type="website">
          <url><![CDATA[https://wordpress.org/plugins/royal-elementor-addons/]]></url>
          <comment><![CDATA[As set via `homepage` in composer package definition.]]></comment>
        </reference>
      </externalReferences>
    </component>
  </components>
  <dependencies>
    <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    <dependency ref="pkg:composer/fancyguy/webroot-installer@1.1.0"/>
    <dependency ref="pkg:composer/koodimonni-language/core-fr_fr@6.1.1">
      <dependency ref="pkg:composer/koodimonni/composer-dropin-installer@1.4"/>
    </dependency>
    <dependency ref="pkg:composer/koodimonni/composer-dropin-installer@1.4"/>
    <dependency ref="pkg:composer/wordpress/wordpress@5.3.2">
      <dependency ref="pkg:composer/fancyguy/webroot-installer@1.1.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/child-theme-configurator@2.6.0">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/duplicate-page@4.5.1">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/elementor@3.6.2">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/matomo@4.13.5">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/premium-addons-for-elementor@4.9.50">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/wpackagist-plugin/royal-elementor-addons@1.3.65">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
    </dependency>
    <dependency ref="pkg:composer/coucou/cava@1.0.0">
      <dependency ref="pkg:composer/composer/installers@1.12.0"/>
      <dependency ref="pkg:composer/wordpress/wordpress@5.3.2"/>
      <dependency ref="pkg:composer/koodimonni-language/core-fr_fr@6.1.1"/>
      <dependency ref="pkg:composer/wpackagist-plugin/child-theme-configurator@2.6.0"/>
      <dependency ref="pkg:composer/wpackagist-plugin/duplicate-page@4.5.1"/>
      <dependency ref="pkg:composer/wpackagist-plugin/elementor@3.6.2"/>
      <dependency ref="pkg:composer/wpackagist-plugin/matomo@4.13.5"/>
      <dependency ref="pkg:composer/wpackagist-plugin/royal-elementor-addons@1.3.65"/>
      <dependency ref="pkg:composer/wpackagist-plugin/premium-addons-for-elementor@4.9.50"/>
    </dependency>
  </dependencies>
</bom>

For me, but i'm probably wrong, the issue come from the fact that purl is pkg:composer/wpackagist-plugin/elementor but should not be as long as it is not recognized in tools that ingest this BOM? Indeed, i can not find a way to get it to work with a wordpress and dependency track

If possible, can you explain to me how to generate a valid SBOM for dependency track for a wordpress installation?

Thanks a lot for your help

@jkowalleck
Copy link
Member

jkowalleck commented Mar 1, 2023
edited

First of, you wrote to be using latest version of PHP, composer and this plugin.
If this was true, and your provided composer.json was correct, then you might have noticed that some of the composer installers you used were outdated and nonfunctional, and your setup was not installable at all.
Therefore, I have to doubt your story entirely.

Regarding your issue with the packages not being picked up by DependencyTrack, this might be because DependencyTrack checks packages of type composer against http://packagist.org, but you might have sources from another registry: https://wpackagist.org
Please ask the people of DependencyTrack, how you could add additional composer-based registries.

@jkowalleck jkowalleck mentioned this issue Mar 1, 2023
Open
4 tasks
@fakeNews-jpg
Copy link
Author

Thanks for your help, effectively i added already wpackagist.org in registries of dependency track but this wasn't successful (in administration/repositories/composer)

effectively, i maybe was too speedy when writing this issue, php version is:

PHP 7.4.33 (cli) (built: Feb 22 2023 20:07:47) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.33, Copyright (c), by Zend Technologies

and composer version is: Composer 2.0.9 2021-01-27 16:09:27

If you think that it is a dependency track issue, i will open one issue in their repository and close this one

Thanks a lot for your help

@jkowalleck
Copy link
Member

jkowalleck commented Mar 1, 2023
edited

Please help me out, please run composer show --tree on your project and compare the results.
Are all components correctly added to the SBOM result? Is one missing?
Please let me know your findings.

The PURLs could be enhanced - via #93
Unfortunately, composer does not give any evidence for non-standard package registries, so this is currently not detectable properly.

Feel free to approach the DependencyTrack issue tracker.

@fakeNews-jpg
Copy link
Author

Here is the result of composer show tree:

composer/installers v1.12.0 A multi-framework Composer library installer
└──composer-plugin-api ^1.0 || ^2.0
koodimonni-language/core-fr_fr 6.1.1 WordPress core translations for French (France) - fr_fr
└──koodimonni/composer-dropin-installer >=0.2.3
   ├──composer-plugin-api ^1.0 | ^2.0
   └──php >=5.3.2
wordpress/wordpress 5.3.2
└──fancyguy/webroot-installer ^1.0.0
wpackagist-plugin/child-theme-configurator 2.6.0
└──composer/installers ^1.0 || ^2.0
   └──composer-plugin-api ^1.0 || ^2.0
wpackagist-plugin/duplicate-page 4.5.1
└──composer/installers ^1.0 || ^2.0
   └──composer-plugin-api ^1.0 || ^2.0
wpackagist-plugin/elementor 3.6.2
└──composer/installers ^1.0 || ^2.0
   └──composer-plugin-api ^1.0 || ^2.0
wpackagist-plugin/matomo 4.13.5
└──composer/installers ^1.0 || ^2.0
   └──composer-plugin-api ^1.0 || ^2.0
wpackagist-plugin/premium-addons-for-elementor 4.9.50
└──composer/installers ^1.0 || ^2.0
   └──composer-plugin-api ^1.0 || ^2.0
wpackagist-plugin/royal-elementor-addons 1.3.65
└──composer/installers ^1.0 || ^2.0
   └──composer-plugin-api ^1.0 || ^2.0

No components seem to be missing in the SBOM effectively

I understand for the problem with PURLs, thanks a lot again for all your help

@jkowalleck
Copy link
Member

you are welcome.

Will close for now.
Please file a new issue, if you think the issue persists.

@jkowalleck jkowalleck closed this as not planned Won't fix, can't repro, duplicate, stale Mar 1, 2023
@fakeNews-jpg fakeNews-jpg mentioned this issue Mar 1, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkowalleck @fakeNews-jpg