search

spdx / spdx-maven-plugin

Plugin for supporting SPDX in a Maven build.
Apache License 2.0
44 stars 26 forks source link

Potential missing data when classifiers are added to dependencies #164

Open loosebazooka opened 8 months ago

loosebazooka commented 8 months ago

For a pom like with multiple references to the same dependency with different classifiers

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.mycompany.app</groupId>
  <artifactId>my-app</artifactId>
  <packaging>jar</packaging>
  <version>1.0-SNAPSHOT</version>
  <name>my-app</name>
  <url>http://maven.apache.org</url>
  <dependencies>
    <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty-resolver-dns-native-macos</artifactId>
      <version>4.1.107.Final</version>
      <classifier>osx-aarch_64</classifier>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty-resolver-dns-native-macos</artifactId>
      <version>4.1.107.Final</version>
      <classifier>osx-x86_64</classifier>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>3.8.1</version>
      <scope>test</scope>
    </dependency>
  </dependencies>
  <build>
    <plugins>
      <plugin>
        <groupId>org.spdx</groupId>
        <artifactId>spdx-maven-plugin</artifactId>
        <!-- please check for updates on https://search.maven.org/search?q=a:spdx-maven-plugin -->
        <version>0.6.5</version>
        <executions>
            <execution>
                <id>build-spdx</id>
                <goals>
                    <goal>createSPDX</goal>
                </goals>
            </execution>
        </executions>
        <configuration>
          <excludedFilePatterns>
            <excludedFilePattern>*.spdx</excludedFilePattern>
          </excludedFilePatterns>
          <!-- See documentation below for additional configuration -->
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>

The classifier information is lost on the generated spdx sbom. The end result is two entries with the same netty reference.

{
    "SPDXID" : "SPDXRef-gnrtd11",
    "copyrightText" : "UNSPECIFIED",
    "description" : "Netty is an asynchronous event-driven network application framework for\n    rapid development of maintainable high performance protocol servers and\n    clients.",
    "downloadLocation" : "NOASSERTION",
    "filesAnalyzed" : false,
    "homepage" : "https://netty.io/netty-resolver-dns-native-macos/",
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "Apache-2.0",
    "name" : "Netty/Resolver/DNS/Native/MacOS",
    "originator" : "Organization:The Netty Project",
    "summary" : "Netty is an asynchronous event-driven network application framework for\n    rapid development of maintainable high performance protocol servers and\n    clients.",
    "versionInfo" : "4.1.107.Final"
  }, {
    "SPDXID" : "SPDXRef-gnrtd0",
    "copyrightText" : "UNSPECIFIED",
    "description" : "Netty is an asynchronous event-driven network application framework for\n    rapid development of maintainable high performance protocol servers and\n    clients.",
    "downloadLocation" : "NOASSERTION",
    "filesAnalyzed" : false,
    "homepage" : "https://netty.io/netty-resolver-dns-native-macos/",
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "Apache-2.0",
    "name" : "Netty/Resolver/DNS/Native/MacOS",
    "originator" : "Organization:The Netty Project",
    "summary" : "Netty is an asynchronous event-driven network application framework for\n    rapid development of maintainable high performance protocol servers and\n    clients.",
    "versionInfo" : "4.1.107.Final"
  }

The classifier information is lost. This is related to https://github.com/spdx/spdx-gradle-plugin/issues/115 on the gradle plugin side which really does not handle this very gracefully.

goneall commented 8 months ago

Thanks @loosebazooka for the analysis and example. I suspected there may be an issue with this scenario.