search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Discord: https://discord.gg/DP657ACYEZ
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
565 stars 157 forks source link

first level of dependencies not detected from POM #953

Open visagansanthanam-unisys opened 6 months ago

visagansanthanam-unisys commented 6 months ago

Even though the dependencies are mentioned in the POM file, the CDXGEN tool didnot capture any of the dependencies

cdxgen -r -p --validate --required-only --server-url https://us-dtrack.absys.com --api-key ${APIKey} --project-name "ABCSQLJDBC" --project-version ${stream} --parent-project-id "2d78f9ea-e967-4b3b-893e-24f271d81177" -o sbom.json

image

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>com.absys.abcsql</groupId>
        <artifactId>abc-parent</artifactId>
        <version>64.0.12-SNAPSHOT</version>
    </parent>
    <!-- Artifact coordinate -->
    <artifactId>abcsqljdbc</artifactId>
    <packaging>jar</packaging>
    <!-- Artifact information -->
    <name>JDBC Driver</name>
    <description>JDBC driver for ABCSQL</description>
    <properties />
    <dependencies>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
        </dependency>
        <dependency>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-classic</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>com.absys</groupId>
            <artifactId>xlateeghbcdic</artifactId>
        </dependency>
        <dependency>
            <groupId>${project.groupId}</groupId>
            <artifactId>provider</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-core</artifactId>
            <scope>provided</scope>
        </dependency>

adding --deep parameter tries to pull the dependencies from the artifact store. is there any way we can prevent the action of pulling dependencies from private repository?

prabhu commented 6 months ago

@visagansanthanam-unisys This is a difficult case since the version number is either not mentioned or uses template variables. Have you tried asking in the dependency track channel to see if anyone has a solution or scripts to deal with this?

prabhu commented 6 months ago

@visagansanthanam-unisys some users have luck with -t mvn-cache. Can you try with that approach?

visagansanthanam-unisys commented 6 months ago

@prabhu no luck. but when i run cdxgen on a machine which does not have valid java and maven version, It throws a error but identifies few components. how does the --deep parameter works? does it add any additional features on Maven project?


Executing 'mvn dependency:copy-dependencies -DoutputDirectory=C:\Users\anthanV\AppData\Local\Temp\mvn-deps-HqsNB1 -U -Dmdep.copyPom=true -Dmdep.useRepositoryLayout=true -Dmdep.includeScope=compile -Dmdep.prependGroupId=false -Dmdep.stripVersion=false' in C:\projects\cdxgen\MCPSQL\mcpsql\jdbc
 'mvn' is not recognized as an internal or external command,
operable program or batch file.

Resolve the above maven error. You can try the following remediation tips:

1. Check if the correct version of maven is installed and available in the PATH.
2. Perform 'mvn compile package' before invoking this command. Fix any errors found during this invocation.
3. Ensure the temporary directory is available and has sufficient disk space to copy all the artifacts.
Executing 'mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.11:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q' in C:\projects\cdxgen\MCPSQL\mcpsql\jdbc
Fallback to executing mvn dependency:tree -DoutputFile=C:\Users\anthanV\AppData\Local\Temp\cdxmvn-XspubV\mvn-tree.txt
 'mvn' is not recognized as an internal or external command,
operable program or batch file.

Resolve the above maven error. This could be due to the following:

1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible.
2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable.
3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool.

Falling back to manual pom.xml parsing. The result would be incomplete!
Atom requires Java 21 or above. To improve the SBOM accuracy, please install a suitable version, set the JAVA_HOME environment variable, and re-run cdxgen.
Alternatively, use the cdxgen container image.
Current JAVA_HOME: C:\Program Files\Microsoft\jdk-17.0.8.7-hotspot\
Slicing was not successful. For large projects (> 1 million lines of code), try running atom cli externally in Java mode. Please refer to the instructions in https://github.com/CycloneDX/cdxgen/blob/master/ADVANCED.md.
NOTE: Atom is in detached mode and will continue to run in the background with max CPU and memory unless it's killed.
╔═══════════════════════════╤═════════════════════════════════════╤═══════════════════════════╤═════════════════╗
║ Group                     │ Name                                │                   Version │ Scope           ║
╟───────────────────────────┼─────────────────────────────────────┼───────────────────────────┼─────────────────╢
║ org.apache.commons        │ commons-io                          │                     1.3.2 │                 ║
╟───────────────────────────┼─────────────────────────────────────┼───────────────────────────┼─────────────────╢
║ javax.persistence         │ persistence-api                     │                     1.0.2 │                 ║
╟───────────────────────────┼─────────────────────────────────────┼───────────────────────────┼─────────────────╢
║ ${project.groupId}        │ jdbc-help                           │                     [60,) │                 ║
╚═══════════════════════════╧═════════════════════════════════════╧═══════════════════════════╧═════════════════╝
BOM includes 3 components and 0 dependencies
prabhu commented 6 months ago

@visagansanthanam-unisys Yes both java >= 20 and maven has to be installed for cdxgen to work so best to use the container image. --deep argument adds jar file parsing for Java but needs maven command to collect the jars for a given project.