"components" entries missing a few jars that are in WEB-INF/lib/

[juliusmusseau]

Hi !

I'm using this public repository to test things: https://github.com/gsylvie/madness

After running "mvn install" from the "sub8" sub-directory, I'm finding a small disagreement between the generated "bom.json" compared to the actual jars in the build war!

In particular, the war has the following files, which are not mentioned within the "components" section of the sbom:

commons-codec-1.15.jar httpcore-4.4.13.jar inoculator-1.0-SNAPSHOT.jar joda-time-2.10.6.jar

I've carefully lined up the listings here in these two files:

1. https://github.com/gsylvie/madness/blob/master/samples/war-web-inf-lib.txt
2. https://github.com/gsylvie/madness/blob/master/samples/cyclone-dx-components.txt

The generated "bom.json" is here:

3. https://github.com/gsylvie/madness/blob/master/samples/sub8_war_target_bom.json

(But of course you can also "git clone" and "mvn install" to generate it, too! That works as well!)

[stevespringett]

"madness" is an excellent name for that project.

FYI, I had to modify the nodeVersion defined in sub8/mbux/pom.xml to something more modern. In my case v16.17.0 so that Node would be installed properly on an M1 Mac.

I think I've replicated the issue. pkg:maven/commons-codec/commons-codec@1.15?type=jar for example shows up in the dependsOn section of the BOM, but not in the components, which is really odd. Is this what you're seeing?

[mr-zepol]

https://github.com/gsylvie/madness

"madness" is an excellent name for that project.

FYI, I had to modify the nodeVersion defined in sub8/mbux/pom.xml to something more modern. In my case v16.17.0 so that Node would be installed properly on an M1 Mac.

I think I've replicated the issue. pkg:maven/commons-codec/commons-codec@1.15?type=jar for example shows up in the dependsOn section of the BOM, but not in the components, which is really odd. Is this what you're seeing?

@stevespringett @juliusmusseau I was trying to replicate the issue but the sbom generated has the missing components mentioned here, I checked what checked where done since you posted this and I only see some version upgrades, maybe it's related to the maven version? I am using 3.8.1

[ybiancheri]

I have the same issue on my application which is based on spring-boot.

It is a multimodule maven project which inherits from spring-boot-starter-parent.

Technical environment:

• maven 3.8.6
• JDK 11.0.17
• cyclonedx-maven-plugin 2.7.3
• spring-boot 2.7.4

In the generated bom I have 12 components while the dependencies section has 115. In the application's BOOT-INF/lib I can count 104 jars

If I invoke mvn dependency:tree I found 115 dependencies by excluding test dependencies.

How can I help in resolving this?

Annex:

 $ mvn --version
Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
Maven home: /home/ybiancher/bin/maven
Java version: 11.0.17, vendor: Red Hat, Inc., runtime: /usr/lib/jvm/java-11-openjdk-11.0.17.0.8-2.fc36.x86_64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.10.102.1-microsoft-standard-wsl2", arch: "amd64", family: "unix"

$ cat xappli-frontserver/target/bom.json | jq '.components | length'
12
$ cat xappli-frontserver/target/bom.json | jq '.dependencies | length'
115

[Gayanvir]

I have the same issue. we have some war dependencies in our Maven projects. Those war contains some jar files. SBOM don't get those jar files. what I noticed is components are only created for artifacts with 'jar' type in here https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/3d1660349af9529865979a3ddb9a147879affbc7/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java#L197 This seems to be the problem. It should support other file types. One additional check can be added there, if the type is not jar then it should check for the pom and check if it has dependencies. If there are dependencies it should be added as a component.