search

spdx / spdx-maven-plugin

Plugin for supporting SPDX in a Maven build.
Apache License 2.0
44 stars 26 forks source link

Validating Build SBOM in SPDX Format #167

Open PrachiP29 opened 1 month ago

PrachiP29 commented 1 month ago

I worked on https://github.com/wmichalska/CreditManager repository to validate the build SBOM and below are my findings.

  1. There are in total 119 dependencies obtained from the Maven Dependency List/Tree on running the mvn dependency:list command.
  2. The SBOM file that was generated using the command mvn spdx:createSPDX resulted in total 117 dependencies. Out of these four dependencies couldn’t be obtained directly from either the Maven central repository or the dependency list.
  3. Also, two dependencies from the dependency list do not match with the SBOM file – spring-jcl, spring-test.
  4. The dependencies- “JSON Small and Fast Parser”, “AssertJ fluent assertion”, “Spring Data Core”, “Java Annotation Indexer” were present in SBOM but not directly present in the dependency list or Maven central Repo.
  5. There are some other dependencies that are common in both Dependency List and SBOM but the direct link to those dependencies from the POM dependencies are not present. Below is the list of those dependencies- byte-buddy-agent, objenesis, android-json, spring-jdbc, javassist, dom4j, txw2, istack-commons-runtime, spring-data-commons, spring-orm, spring-tx, attoparser, thymeleaf-extras-java8time, jakarta.el

If you have any inputs to explain the differences, please do advise. Thanks in advance.

goneall commented 3 weeks ago

I cloned the above mentioned repo and ran mvn dependency:tree and mvn spdx:createSPDX and ended up with the same results. Both produced 119 dependencies.

Attached are 3 files - the output of each tool + a CSV with sorted comparisons of the package level information. [DepCompare.csv] deptree.txt spdx-deps.txt (https://github.com/user-attachments/files/16719702/DepCompare.csv)

goneall commented 3 weeks ago

I worked on https://github.com/wmichalska/CreditManager repository to validate the build SBOM and below are my findings.

  1. There are in total 119 dependencies obtained from the Maven Dependency List/Tree on running the mvn dependency:list command.
  2. The SBOM file that was generated using the command mvn spdx:createSPDX resulted in total 117 dependencies. Out of these four dependencies couldn’t be obtained directly from either the Maven central repository or the dependency list.

On my local machine, I was able to get all 119 in the SPDX run

  1. Also, two dependencies from the dependency list do not match with the SBOM file – spring-jcl, spring-test. These matched on my run
  2. The dependencies- “JSON Small and Fast Parser”, “AssertJ fluent assertion”, “Spring Data Core”, “Java Annotation Indexer” were present in SBOM but not directly present in the dependency list or Maven central Repo.

I didn't verify this - but it looks like the same results from the mvn:tree command and the SPDX command

  1. There are some other dependencies that are common in both Dependency List and SBOM but the direct link to those dependencies from the POM dependencies are not present. Below is the list of those dependencies- byte-buddy-agent, objenesis, android-json, spring-jdbc, javassist, dom4j, txw2, istack-commons-runtime, spring-data-commons, spring-orm, spring-tx, attoparser, thymeleaf-extras-java8time, jakarta.el

Both tools will generate indirect dependencies

If you have any inputs to explain the differences, please do advise. Thanks in advance.

goneall commented 3 weeks ago

Note that PR #152 changes the implementation of the dependency discovery to use the same mechanism as mvn dependency:tree so the results should be the same.

PrachiP29 commented 2 weeks ago

Hi @goneall, this is satisfactory. But I still have an unanswered question. The below listed dependencies do not have any direct link from the dependencies present in the POM file. So, my question is, what reference are these dependencies using to show up in the SBOM file as the POM doesn't include the artifact IDs for all of these.

. There are some other dependencies that are common in both Dependency List and SBOM but the direct link to those dependencies from the POM dependencies are not present. Below is the list of those dependencies- byte-buddy-agent, objenesis, android-json, spring-jdbc, javassist, dom4j, txw2, istack-commons-runtime, spring-data-commons, spring-orm, spring-tx, attoparser, thymeleaf-extras-java8time, jakarta.el

Both tools will generate indirect dependencies

goneall commented 2 weeks ago

Hi @goneall, this is satisfactory. But I still have an unanswered question. The below listed dependencies do not have any direct link from the dependencies present in the POM file. So, my question is, what reference are these dependencies using to show up in the SBOM file as the POM doesn't include the artifact IDs for all of these.

I didn't look at all of these, but for the first few, they all appear to be indirect dependencies of dependencies declared in the POM file.

For example - byte-buddy-agent is an indirect dependency if the following declared dependency:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

The full dependency graph for this can be found in both the SBOM by tracing back the dependency information, or (more easily) from the dependency tree output. The dependency tree output related to byte-buddy-agent is:

[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.4.5:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.4.5:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.4.5:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.3:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:1.2:test
[INFO] |  |        \- org.ow2.asm:asm:jar:5.0.4:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] |  +- org.assertj:assertj-core:jar:3.18.1:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.7.1:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.7.1:test
[INFO] |  |  |  +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  \- org.junit.platform:junit-platform-commons:jar:1.7.1:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.7.1:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.7.1:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.7.1:test
[INFO] |  +- org.mockito:mockito-core:jar:3.6.28:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.10.22:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.10.22:test
PrachiP29 commented 2 weeks ago

Okay, actually I checked for "attoparser" on the maven central repo and found that this particular one comes from a different org, org.attoparser. But I couldn't find the indirect link in the artifact IDs present in POM.

goneall commented 1 week ago

@PrachiP29 - Does running mvn dependency:tree on your project yield the same results as the SPDX Maven plugin?

If so, I suggest posting your question to the Maven Dependency Tree plugin community. This library make use of the same code.

If you're seeing results which are different, then I can look into the SPDX Maven plugin implementation.