search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Google chat: https://chat.google.com/room/AAAA6l2dO60?cls=7
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
580 stars 156 forks source link

[Gradle] Incorrect dependency information in Gradle project #318

Closed ajmalab closed 1 year ago

ajmalab commented 1 year ago

Hi! The sbom included in this repository made with cdxgen@8.4.7 shows that pkg:maven/org.flywaydb/flyway-mysql@9.17.0?type=jar depends on pkg:maven/io.opentelemetry/opentelemetry-jdbc@1.19.0?type=jar. This is inaccurate, flyway-mysql only depends on flyway-core and lombok. The remaining refs are transitive dependencies coming via pkg:maven/dependency-diff-check-service@latest?type=jar which depends on pkg:maven/dependency-diff-check-common-core@latest?type=jar.

As per the standard, only direct dependencies are expected in the dependencies block.

prabhu commented 1 year ago

@ajmalab, This is due to regex-based parsing, which I can improve. One clarification though. I don't see lombok in the gradle dependencies output at all. Any ideas how you found that out?

prabhu commented 1 year ago

@ajmalab Could you test https://github.com/CycloneDX/cdxgen/tree/fix/issue-318

For some reason, github is failing with http error when trying to create a PR

ajmalab commented 1 year ago

@prabhu Good point, I verified the direct dependencies from Maven. But you're right, it does not show up in the dependencies task output, since Lombok is one of those dependencies that have a 'PROVIDED' scope, meaning it's expected to be provided from the service. So as far as cdxgen is concerned, it shouldn't be seeing Lombok :)

ajmalab commented 1 year ago

Tested the main branch, issue seems fixed. Thank you!

prabhu commented 1 year ago

@prabhu Good point, I verified the direct dependencies from Maven. But you're right, it does not show up in the dependencies task output, since Lombok is one of those dependencies that have a 'PROVIDED' scope, meaning it's expected to be provided from the service. So as far as cdxgen is concerned, it shouldn't be seeing Lombok :)

Interesting. Is there a way to detect these provided scoped packages? "No nuts or gluten" must go unreported if possible.

ajmalab commented 1 year ago

I'm sorry, perhaps I didn't word it clearly. A dependency with a 'PROVIDED' scope is expected to be provided from the service, but I hadn't added Lombok to the service manually, so it makes sense that it didn't show up. In other words, Lombok is a requirement for flyway, but not shipped with it as a dependency and expects the service owner to add it as a direct dependency to their project.

prabhu commented 1 year ago

https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope

It must be available at compile time. Scary that gradle has no way to make it available, so tools are underreporting here. Imagine a supply chain attack against a library with provided scope.