wilkinsona
commented
1 year ago Thanks for the report. The problem is caused by analysis of the META-INF/maven/<<groupId>>/<<artifactId>>/pom.xml file that's included in the jar from which the image is built. Gradle does not generate such a file in the jars that it builds so the problem is specific to Maven. The analysis is performed by the executable-jar buildpack. Its behavior is out of Spring Boot's control so please report the problem to the buildpack's maintainers.
You can work around the problem by configuring Maven not to include the pom file in the jar:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<addMavenDescriptor>false</addMavenDescriptor>
</archive>
</configuration>
</plugin>Another option may be to use the Flatten Plugin to remove the test-scoped dependencies from the pom.
nils-christian
Hi,
To reproduce this issue, simply create a Spring Boot demo application via Spring Initializr (e.g. Spring 2.7.13, Java 17, Maven). Note that the demo project has spring-boot-starter as compile scoped dependency and spring-boot-starter-test as test scoped dependency.
Now create a Docker image with mvn spring-boot:build-image. The resulting image contains SBoM files which list the test dependencies (in this case: spring-boot-starter-test), This is an issue as vulnerability scanners use these meta files to check the image for security violations. In our case this leads to various false positives that have to be checked manually.
The SBoM should not contain test dependencies in general.
Thank you and best regards
Nils