Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

old maven dependencies that have moved to a new group are reported incorrectly. #425

Open
tspascoal opened this issue Oct 19, 2023 · 1 comment
Open

old maven dependencies that have moved to a new group are reported incorrectly. #425

tspascoal opened this issue Oct 19, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@tspascoal
Copy link

When a maven package is moved to a different group, the new group is reported instead of the use one (even though the old still still exists)

See this repro repository that is using the sbom action to report the dependencies.

The dependency being used is mysql:mysql-connector-java:5.1.36

However this package has been moved to another place which only has versions > 8.0.31

If we run ./gradlew app:dependencies

I can see the dependency is correctly indentified

implementation - Implementation only dependencies for null/main. (n)
+--- com.google.guava:guava:32.1.1-jre (n)
+--- com.webauthn4j:webauthn4j-spring-security-core:0.8.0.RELEASE (n)
\--- mysql:mysql-connector-java:5.1.36 (n)

However it's submitted to GitHub dependency submission API as com.mysql.jdbc:mysql-connector-java (notice the new groupId com.mysql.jdbc)

Image

This seems consistent with the SBOM (snippet with some parts cut)

{
   "name": "mysql-connector-java",
   "SPDXID": "SPDXRef-Package-java-archive-mysql-connector-java-f8ab65f985cd53a0",
   "versionInfo": "5.1.36",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "6bb5861f44c21c775ee713a438e5bc493c095f7a"
    }
   ],
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql-connector-java:mysql-connector-java:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql-connector:jdbc:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql_connector:jdbc:5.1.36:*:*:*:*:*:*:*"
    },

    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:jdbc:jdbc:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:maven/com.mysql.jdbc/mysql-connector-java@5.1.36"
    }

Notice that the SECURITY nodes reference mysql_connector however PACKAGE-MANAGER has the new groupId maven/com.mysql.jdbc/mysql-connector-java@5.1.36 (which version 5.1.3 is not even visible in Maven central)
@popey popey added bug Something isn't working needs-investigation labels Jul 11, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Jul 11, 2024

We found that syft is technically correct here given that it's reading the groupID from the manifest of 5.1.36. These would not retroactively change given the repositories move. The solution here is to have the ability for syft to check all discovered java assets fingerprints against their current maven state and then reconcile that delta. Preferably it would prefer the most current maven information over what was read on disk.

This requires an update in syft and is not technically related to the performance/implementation of the SBOM action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
3 participants
@popey @tspascoal @spiffcs