Open evyaroshevich opened 2 months ago
prabhu
commented
2 months ago @evyaroshevich copy-dependencies is invoked only in deep or resolve class mode.
https://github.com/CycloneDX/cdxgen/blob/083f8a6719a83c1d3d40066677242984b08258a8/index.js#L1233
Could you troubleshoot and find out from where it is getting invoked?
prabhu
commented
2 months ago @evyaroshevich any updates?
evyaroshevich
commented
2 months ago @prabhu I am not using the 'deep' or 'resolve class mode' parameters. After some debugging, I discovered that 'mvn dependency:copy-dependencies' was being triggered due to the '--include-crypto' parameter.
prabhu
commented
2 months ago @evyaroshevich good finding. Any ideas on how we can make the copy-dependencies work for your project?
evyaroshevich
commented
2 months ago @prabhu "In my project, for now, I simply removed the '--include-crypto' parameter to maintain the pipeline's functionality. It's quite strange that this specific parameter triggered the 'copy-dependency' step.
I'm trying to place 'cdxgen' in the pipeline before the project build because a significant number of files are generated after the build process, which causes 'cdxgen' to take a long time or even hang. I'm not sure if relying solely on specific files (pom.xml, yarn.lock, package-lock.json, nuget.config, etc.) is a good idea, but I'm considering it as an option."
prabhu
commented
2 months ago @evyaroshevich, --include-crypto is part of the new CBOM feature. As such it requires the project to be built, dependencies copied for a successful data-flow analysis. Good idea to remove this option if you are not interested in CBOMs.
cdxgen is optimized for build lifecycle. We support pre-build for some ecosystems like JavaScript, Python, dotnet etc when a valid lock file is present. The best place to run cdxgen is after performing the build or restore step. You can always play with the -t or --exclude argument to limit the SBOM generation to specific language types or directories.
In the cdxgen update, a new function, mvn dependency:copy-dependencies, was added after the makeAggregateBom task. This addition has completely broken my pipelines because makeAggregateBom was working with the pom.xml file and did not require project compilation. However, now, for copy-dependencies, project compilation is sometimes necessary when one module depends on the JAR of another module.
Another issue is that if I place cdxgen after the build step in the pipeline, copy-dependencies will already be executed there, and cdxgen will redundantly execute copy-dependencies again.
Furthermore, the general additional parameters, MVN_ARGS, sometimes do not fit the purposes of makeAggregateBom and copy-dependencies. They sometimes require different parameters for their own purposes.