search

anchore / sbom-action

GitHub Action for creating software bill of materials using Syft.
Apache License 2.0
164 stars 30 forks source link

old maven dependencies that have moved to a new group are reported incorrectly. #425

Open tspascoal opened 1 year ago

tspascoal commented 1 year ago

When a maven package is moved to a different group, the new group is reported instead of the use one (even though the old still still exists)

See this repro repository that is using the sbom action to report the dependencies.

The dependency being used is mysql:mysql-connector-java:5.1.36

However this package has been moved to another place which only has versions > 8.0.31

If we run ./gradlew app:dependencies

I can see the dependency is correctly indentified

implementation - Implementation only dependencies for null/main. (n)
+--- com.google.guava:guava:32.1.1-jre (n)
+--- com.webauthn4j:webauthn4j-spring-security-core:0.8.0.RELEASE (n)
\--- mysql:mysql-connector-java:5.1.36 (n)

However it's submitted to GitHub dependency submission API as com.mysql.jdbc:mysql-connector-java (notice the new groupId com.mysql.jdbc)

Image

This seems consistent with the SBOM (snippet with some parts cut)

{
   "name": "mysql-connector-java",
   "SPDXID": "SPDXRef-Package-java-archive-mysql-connector-java-f8ab65f985cd53a0",
   "versionInfo": "5.1.36",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "6bb5861f44c21c775ee713a438e5bc493c095f7a"
    }
   ],
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql-connector-java:mysql-connector-java:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql-connector:jdbc:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql_connector:jdbc:5.1.36:*:*:*:*:*:*:*"
    },

    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:jdbc:jdbc:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:maven/com.mysql.jdbc/mysql-connector-java@5.1.36"
    }

Notice that the SECURITY nodes reference mysql_connector however PACKAGE-MANAGER has the new groupId maven/com.mysql.jdbc/mysql-connector-java@5.1.36 (which version 5.1.3 is not even visible in Maven central)

spiffcs commented 3 months ago

We found that syft is technically correct here given that it's reading the groupID from the manifest of 5.1.36. These would not retroactively change given the repositories move. The solution here is to have the ability for syft to check all discovered java assets fingerprints against their current maven state and then reconcile that delta. Preferably it would prefer the most current maven information over what was read on disk.

This requires an update in syft and is not technically related to the performance/implementation of the SBOM action.