While trying jbom we have noticed that it might report faulty version information. That field might contain something that looks more like a part of a file path and not version.
Here are steps to reproduce the issue using latest version of code (107a35c0c710d601afbfb4f19aaa6dcf5f41604f):
Note "version" : "api/pom" part probably was parsed from "value" : "<REMOVED>/sonar-scanner-api-2.10.0.1189.jar!/META-INF/maven/org.sonarsource.scanner.api/sonar-scanner-api/pom.xml" (between last '-' and '.xml'. Similar was seen with other jar files.
We would expect to see something similar to next instead:
While trying jbom we have noticed that it might report faulty version information. That field might contain something that looks more like a part of a file path and not version.
Here are steps to reproduce the issue using latest version of code (107a35c0c710d601afbfb4f19aaa6dcf5f41604f):
Resulting SBOM file contains next information:
Note
"version" : "api/pom"
part probably was parsed from"value" : "<REMOVED>/sonar-scanner-api-2.10.0.1189.jar!/META-INF/maven/org.sonarsource.scanner.api/sonar-scanner-api/pom.xml"
(between last '-' and '.xml'. Similar was seen with other jar files.We would expect to see something similar to next instead:
There are no warnings in the log. We see similar results even when using v1.2.1