Open jrevillard opened 2 years ago
Ok I know why. The library that is used to interpret the purls does not take into account gradle
as stated here: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
I replace gradle by maven befor uploading and it works.
Best, Jerome
Hello,
The specs does indeed only reference maven
as a known purl type but the lib packageurl-java sucessfully parse purl with gradle type.
Since, Gradle and Maven target the same repositories, I think that it would be interesting if the translation between package urls type (gradle
-> maven
) could be automatically performed by Dependency Track when requesting vulnerability databases like OSS Index or GHSA
Current Behavior:
I have 2 projects with some common components: one managed by maven and another one managed by gradle. The project manage by maven report vulnerabilities and the one managed by gradle not.
Steps to Reproduce:
Build the same project with maven and gradle and generate the sbom (I'm using Gitlab-ci gemnasium-maven)
Expected Behavior:
The two projects must report the same vulnerabilities for the same component
Environment:
Additional Details:
Here is a snapshot which shows the difference: