search

CycloneDX / cyclonedx-maven-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
https://cyclonedx.org/
Apache License 2.0
297 stars 86 forks source link

Dependencies incorrectly reported with respect to `maven-dependency-plugin` #418

Closed algomaster99 closed 1 year ago

algomaster99 commented 1 year ago

Hi! We talked about Challenges of Producing Software Bill Of Materials for Java today, and I investigate again why some dependencies were wrongly reported compared to maven-dependency-plugin. I found the following reasons.

Dependencies under dependencyManagement

Consider undertow, the maven dependency tree plugin doesn't report io.undertow:undertow-benchmarks:2.32.2.Final as a dependency, but cyclonedx-maven-plugin does. Probably because it is under dependencyManagement?

Dependencies declared as a submodule

Consider javaparser, the maven dependency tree plugin doesn't report com.github.javaparser:javaparser-symbol-solver-testing:3.15.15 as a dependency, but cyclonedx-maven-plugin does because it aggregates modules and shows it under the components in the SBOM.

I think we also saw at the discussion after dinner

Dependencies under exclusion are also considered

In webcam-capture, dependency core-audio has been excluded, however, it is reported under components in the SBOM.

Independent submodules

Independent submodules are also reported as a component, but they are not a dependency. For example, see this dependency - https://github.com/search?q=repo%3Asarxos%2Fwebcam-capture+webcam-capture-driver-vlcj&type=code. Classifer: bundle.

This also happens with jenkins. SBOM reports org.jenkins-ci.main:jenkins-coverage which an independent submodule but it has classifier pom.

No clue

In accumulo, two artifacts are reported that have pom classifiers, under components.

I am not sure where there are in the repository based on Ctrl + F in the repository.

algomaster99 commented 1 year ago