Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CycloneDX SBOM dependency graph: no dependencies section is created for maven multimodule/npm project #5169

Closed
mawl opened this issue Mar 21, 2022 · 1 comment
Closed

CycloneDX SBOM dependency graph: no dependencies section is created for maven multimodule/npm project #5169

mawl opened this issue Mar 21, 2022 · 1 comment
Labels
duplicate An issue that duplicates another issue reporter About the reporter tool

Comments

@mawl
Copy link

mawl commented Mar 21, 2022
edited
Loading

We've got issues creating a cyclonedx sbom containing a dependency graph:

The analyser.yml file shows

    dependency_graphs:
      Maven:
        packages:
        - "Maven:antlr:antlr:x.x.x"
        - ...
      ...
      NPM:
        packages:
        - "NPM::abbrev:x.x.x"
        - ...

But no dependencies section is created in cyclonedx sbom file:

...
   <component type="library">
      <group>com.sun.activation</group>
      <name>jakarta.activation</name>
      <version>x.x.x</version>
      <description>JavaBeans Activation Framework</description>
      <scope>required</scope>
      <hashes>
        <hash alg="SHA-1">8013606426a73d8ba6b568370877251e91a38b89</hash>
      </hashes>
      <licenses>
        <license>
          <id>BSD-3-Clause</id>
          <text content-type="plain/text" encoding="base64">...</text><ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">declared license</ort:origin>
        </license>
      </licenses>
      <purl>pkg:maven/com.sun.activation/jakarta.activation@x.x.x</purl>
      <modified>false</modified>
      <externalReferences><reference type="website"><url>https://github.com/eclipse-ee4j/jaf/jakarta.activation</url></reference></externalReferences><ort:dependencyType xmlns:ort="http://www.w3.org/1999/xhtml">transitive</ort:dependencyType>
    </component>
...
  </components>
  <externalReferences><reference type="vcs"><url>...</url><comment>URL to the Git repository of the projects</comment></reference></externalReferences>
</bom>

and I wonder why there are ort:dependencyType entries in the component nodes

Any ideas how to to fix/debug it?
@mawl mawl changed the title CycloneDX SBOM: no dependencies section is created for maven multimodule/npm project CycloneDX SBOM dependency graph: no dependencies section is created for maven multimodule/npm project Mar 21, 2022
@sschuberth
Copy link
Member

But no dependencies section is created in cyclonedx sbom file:

That's a known missing feature, see #3906. We're happily accepting PRs 😉

and I wonder why there are ort:dependencyType entries in the component nodes

That was a feature request from @CleanHit back then, see #2929. It was easy enough to implement, so we did for the fun of it 😀

@sschuberth sschuberth added duplicate An issue that duplicates another issue reporter About the reporter tool labels Mar 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate An issue that duplicates another issue reporter About the reporter tool
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sschuberth @mawl