Wrong version of `io.netty:netty-handler` is reported in the SBOM of `Selenese Runner Java`

[algomaster99]

What version of OpenRewrite are you using?

I am using

• Maven/Gradle plugin v4.45.0

How are you running OpenRewrite?

I am running the maven plugin on https://github.com/vmi/selenese-runner-java/tree/3e84e8e4e7e06aa1bdacaa8266db00f62ebef559.

mvn org.openrewrite.maven:rewrite-maven-plugin:4.45.0:cyclonedx --fail-at-end

What is the smallest, simplest way to reproduce the problem?

git clone git@github.com:vmi/selenese-runner-java.git
git checkout 3e84e8e4e7e06aa1bdacaa8266db00f62ebef559
mvn org.openrewrite.maven:rewrite-maven-plugin:4.45.0:cyclonedx --fail-at-end
# convert to json cyclonedx file (if needed)
# I needed JSON format so I used https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64

What did you expect to see?

The version of io.netty:netty-handler should be 4.1.79.Final according to maven dependency plugin. See our report generated from maven-dependency-plugin here.

What did you see instead?

4.1.78.Final was reported.

What is the full stack trace of any errors you encountered?

See the SBOM file produced.

https://github.com/chains-project/SBOM-2023/blob/major-revision/sbom-production/results/selenese-runner-java/openrewrite/sbom.json

Are you interested in contributing a fix to OpenRewrite?

I could give it a try if the contributors can help me debug it.

[joanvr]

Thanks for reporting this issue! Sounds like a big problem if we are not reporting the right version!

Maybe a good way to start working on this would be to try to replicate this in a test like those ones: https://github.com/openrewrite/rewrite-maven-plugin/blob/main/src/test/java/org/openrewrite/maven/RewriteCycloneDxIT.java

If you open a Draft Pull Request we can have a look at it together.

[algomaster99]

I am on it. I will submit a pull request soon.