search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server.
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
553 stars 158 forks source link

Changes to 'createJarBom' break single-module Gradle project when running multi-language #479

Closed malice00 closed 1 year ago

malice00 commented 1 year ago

While working on the final issues for Gradle projects, I rebased to the latest master branch and started getting problems.

On multi-project Gradle projects, I get a warning that there is a component under metadata.component.components with the same data as the one in metadata.component:

===== WARNINGS =====
[
  'Found parent component with name fineract in metadata.component.components'
]

Then again, in another test-project, it doesn't complain, but there is this new entry:

        {
          "group": "",
          "name": "android",
          "version": "latest",
          "type": "application",
          "bom-ref": "pkg:maven/android@latest",
          "purl": "pkg:maven/android@latest"
        }

When running a single sub-projects in Gradle, I do not get any warning (I seem to remember I had some at some point...), but the component that was written in metadata.component for the Gradle-project, is now overwritten with a similar component -- but since the bom-ref is different, all dependencies are referencing the wrong component!

I have been able to trace it back to a commit for 'evinse' (#472), where the 'createJarBom'-method was changed to work with a 'parentComponent', which was initialized with 'createDefaultParentComponent'. Unfortunately, I didn't notice when writing #470, but it seems for multi-project Gradle, the warning can just be ignored. Still, it would probably be a good idea to take a look at this and fix it.

Also: when I add -t gradle to my command, cdxgen doesn't scan for JARs, so then all is fine!

prabhu commented 1 year ago

@malice00 Nice find! Is there a test project to reproduce this? We need to filter the metadata.component.components for anything that matches the metadata.component before adding here.

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L350

Also, note these warnings were added to catch bugs like this.

https://github.com/CycloneDX/cdxgen/blob/master/validator.js#L90

malice00 commented 1 year ago

@prabhu I can probably commit and push my current work soon, then you'd have a test. Just want to make sure most of it works, otherwise you'd be looking through code that will most likely change a lot still... :-)

I can now also reproduce the warning on the single project: I forgot to add a parameter for Gradle. Weird though that without it, the bom-ref appears to be valid, although it is never written in the SBOM...

===== WARNINGS =====
[ 'Invalid ref in dependencies pkg:gradle/Test/app@1.0.0?type=jar' ]

Edit: And before you ask: yes, I have changed the type to 'gradle' to make it easier for me to find my changes. I'm not sure if we should leave it that way, but it does show that these are not your average Maven JARs (eg you could filter them to not be sent to OSS Index & others during vulnerability checks). Also, afaik Gradle doesn't even necessarily force you to write Java-projects, so the default purl currently generated (with 'jar' in it) is probably also something that could/should be changed.

prabhu commented 1 year ago

As per purl, maven is the type for all jars. However, bom-ref could be any string including bom-link (which might exist in a different document)

prabhu commented 1 year ago

@malice00 Could you try using this commit?

https://github.com/CycloneDX/cdxgen/commit/3cc201873d172849ba472687a5345643ee28d1b7

malice00 commented 1 year ago

@prabhu That commit actually made it worse: now all of Gradle's sub-projects are gone!

I added some output when the Gradle-part in cdxgen is done, and this is what the parentComponent looks like (partially, it's very big):

{
  "name": "Test",
  "type": "application",
  "group": "",
  "version": "latest",
  "properties": [
    {
      "name": "buildFile",
      "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android/build.gradle"
    },
    {
      "name": "projectDir",
      "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android"
    },
    {
      "name": "rootDir",
      "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android"
    }
  ],
  "purl": "pkg:gradle/Test@latest?type=jar",
  "bom-ref": "pkg:gradle/Test@latest?type=jar",
  "components": [
    {
      "name": "app",
      "type": "application",
      "group": "Test",
      "version": "1.0.0",
      "properties": [
        {
          "name": "buildFile",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android/app/build.gradle"
        },
        {
          "name": "projectDir",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android/app"
        },
        {
          "name": "rootDir",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android"
        }
      ],
      "purl": "pkg:gradle/Test/app@1.0.0?type=jar",
      "bom-ref": "pkg:gradle/Test/app@1.0.0?type=jar"
    },
    {
      "name": "criusm_ssl-pinning",
      "type": "application",
      "group": "Test",
      "version": "latest",
      "properties": [
        {
          "name": "buildFile",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/node_modules/@criusm/ssl-pinning/android/build.gradle"
        },
        {
          "name": "projectDir",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/node_modules/@criusm/ssl-pinning/android"
        },
        {
          "name": "rootDir",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android"
        }
      ],
      "purl": "pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar",
      "bom-ref": "pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar"
    },
... and more sub-components ...

Then the jar-parser kicks in: Parsing /home/roland/test/android/gradle/wrapper/gradle-wrapper.jar And finally the SBOM get's validated and printed:

===== WARNINGS =====
[
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/app@1.0.0?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/jail-monkey@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-async-storage_async-storage@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-blob-util@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-clipboard_clipboard@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_cameraroll@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_datetimepicker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_netinfo@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-config@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-cookies@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-device-info@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-document-picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-file-viewer@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_app@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_messaging@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-fs@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-gesture-handler@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-i18n@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-image-crop-picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-keychain@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-locale@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-masked-view_masked-view@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-permissions@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-reanimated@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-safe-area-context@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-screens@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-share@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-splash-screen@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-svg@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-version-number@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-webview@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/rn-qr-generator@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/app@1.0.0?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-keychain@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-i18n@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-cookies@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-async-storage_async-storage@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-clipboard_clipboard@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_cameraroll@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_datetimepicker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_netinfo@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_app@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_messaging@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-masked-view_masked-view@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/jail-monkey@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-blob-util@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-config@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-device-info@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-document-picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-file-viewer@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-fs@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-gesture-handler@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-image-crop-picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-locale@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-permissions@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-reanimated@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-safe-area-context@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-screens@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-share@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-splash-screen@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-svg@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-version-number@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-webview@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/rn-qr-generator@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-keychain@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-i18n@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-cookies@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-async-storage_async-storage@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-clipboard_clipboard@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-community_cameraroll@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-community_datetimepicker@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-community_netinfo@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-community_picker@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-firebase_app@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-firebase_messaging@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_app@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-masked-view_masked-view@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/jail-monkey@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-blob-util@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-config@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-device-info@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-document-picker@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-file-viewer@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-fs@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-gesture-handler@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-image-crop-picker@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-locale@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-permissions@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-reanimated@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-safe-area-context@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-screens@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-share@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-splash-screen@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-svg@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-version-number@latest?type=jar',
  ... 2 more items
]
    "component": {
      "name": "Test",
      "type": "application",
      "group": "",
      "version": "latest",
      "properties": [
        {
          "name": "buildFile",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android/build.gradle"
        },
        {
          "name": "projectDir",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android"
        },
        {
          "name": "rootDir",
          "value": "/home/itsv.org.sv-services.at/roland.asmann@itsv.at/temp/test/android"
        }
      ],
      "purl": "pkg:gradle/Test@latest?type=jar",
      "bom-ref": "pkg:gradle/Test@latest?type=jar",
      "components": []
    }

You can actually reproduce this with the current master-branch of cdxgen and fineract -- put a console.log on line 1489 to see the parentComponent: console.log(JSON.stringify(parentComponent, null, 2)); and check the output and generated bom.json...

prabhu commented 1 year ago

@malice00 Bringing back sub-projects turned out to be easy. However, getting fineract to validate is going to take some time. Will first get fineract working then we can test our repo with the fix.

Could you join discord so that we can collaborate easily?

prabhu commented 1 year ago

@malice00 could you try this PR #481 branch?

https://github.com/CycloneDX/cdxgen/pull/481

malice00 commented 1 year ago

Could you join discord so that we can collaborate easily?

I'll set it up tonight when I get home.