Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java pom.xml , no version #2266

Closed
bj1116 opened this issue Oct 29, 2023 · 6 comments
Closed

Java pom.xml , no version #2266

bj1116 opened this issue Oct 29, 2023 · 6 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog

Comments

@bj1116
Copy link

bj1116 commented Oct 29, 2023
edited

Java pom.xml , no version .
Example:
pom.xml
image

syft.exe xxx/
image
@bj1116 bj1116 added the bug Something isn't working label Oct 29, 2023
@tgerla
Copy link
Contributor

tgerla commented Oct 30, 2023

Hi @bj1116, can you share more information about your environment, what version of Syft you are running, and can you please share the steps and files so that we can reproduce this problem locally? Thanks!

@coheigea
Copy link
Contributor

coheigea commented Nov 3, 2023

Please attach the pom.xml file

@DarkAtra DarkAtra mentioned this issue Nov 30, 2023
Closed
@DarkAtra
Copy link

DarkAtra commented Nov 30, 2023
edited

@tgerla @coheigea I'm currently running into the same issue with this project.

The project builds a docker image via the spring boot maven plugin, which internally uses paketo buildpacks and they on the other hand rely on syft to generate the SBOM. For the most recent build syft 0.94.0 was used.

This is the SBOM entry that was generated for the spring-boot-starter-web dependency:

{
 "id": "4bb281bc258e5bed",
 "name": "spring-boot-starter-web",
 "version": "",
 "type": "java-archive",
 "foundBy": "java-pom-cataloger",
 "locations": [
  {
   "path": "/META-INF/maven/de.idealo.security/spring-endpoint-exporter/pom.xml",
   "annotations": {
    "evidence": "primary"
   }
  }
 ],
 "licenses": [],
 "language": "java",
 "cpes": [
  "cpe:2.3:a:spring-boot-starter-web:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot-starter-web:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot_starter_web:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot_starter_web:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot-starter:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot-starter:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot_starter:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot_starter:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:springframework:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:springframework:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:boot:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:boot:spring_boot_starter_web:*:*:*:*:*:*:*:*"
 ],
 "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-web",
 "metadataType": "JavaMetadata",
 "metadata": {
  "virtualPath": "",
  "pomProperties": {
   "path": "",
   "name": "",
   "groupId": "org.springframework.boot",
   "artifactId": "spring-boot-starter-web",
   "version": ""
  }
 }
}

and this is the pom used in that build: https://github.com/idealo/spring-endpoint-exporter

Note that the project is relying on the spring-boot-starter-parent to manage all versions for spring related dependencies. The expected version for the web starter would be 3.2.0.

You should be able to reproduce the result by:

  1. Cloning the repository: https://github.com/idealo/spring-endpoint-exporter
  2. Building the docker image locally via: ./mvnw -B -ntp spring-boot:build-image
  3. Inspecting the resulting docker image's SBOM: /layers/sbom/launch/paketo-buildpacks_executable-jar/sbom.cdx.json

You could also just inspect the pre-built docker image that's hosted on github.

See also: paketo-buildpacks/spring-boot#421

@coheigea
Copy link
Contributor

coheigea commented Dec 4, 2023

Ah yes there is a gap here when a dependency version is declared in a parent pom. I'll take a look at it.

This was referenced Dec 8, 2023
Merged
Merged
@coheigea
Copy link
Contributor

Fix submitted here: #2423

It needs the configuration:

java:
   # when running across pom.xml files that could have more information, syft will
   # explicitly search maven for license information by querying the online pom when this is true eg:
   # https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-test/3.1.5/spring-boot-starter-test-3.1.5.pom
   # this option is helpful for when the parent pom has this information,
   # but it is not accessible from within the final built artifact
   maven-url: "https://repo1.maven.org/maven2"
   max-parent-recursive-depth: 8
   use-network: true

@tgerla tgerla added the changelog-ignore Don't include this issue in the release changelog label Dec 14, 2023
@tgerla
Copy link
Contributor

tgerla commented Dec 14, 2023

Thanks, @coheigea. I'll close this issue. Please feel free to open a new one if anyone runs into more trouble. Thanks!

@tgerla tgerla closed this as completed Dec 14, 2023
@willyw0nka willyw0nka mentioned this issue Apr 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tgerla @coheigea @DarkAtra @bj1116