-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"False positives" in SBOM when building OSGi bundle with maven-bundle-plugin #398
Comments
I don't fully get the reasoning, it's too abstract: can you share a full example, please? |
The above example is from a private repository. Here is a link to a public repository having the same problem: https://github.com/Jahia/LDAP-provider . The pom.xml has a dependency to We see the same pattern with all of our modules. The default behavior of the |
IIUC, if you are building an OSGi bundle, you expect the SBOM to match OSGi way of defining dependencies, not Maven way? IIUC, your bundle does not really include the dependencies (like a war does), but only defines a requirement for an OSGi runtime, isn't it? |
@hboutemy what is happening here is that some classes are "shaded" inside the bundle, so lets say we have the chain A > requires B > requires > C Now I embedd I think the most "maven" way would be to declare the unwanted dependency in |
The false positive is not related to the library, but to the version of the library. cyclonedx-maven-plugin creates an SBOM with library versions, which are not deployed anywhere - neither in the bundle nor provided by the application. This results in found vulnerabilities, which are all false positives. Currently as a workaround we are indeed excluding the provided transitive libraries in the pom.xml. |
Hello. |
We recently started to use the
cyclonedx-maven-plugin
to create the SBOM of our OSGI components, which are built with themaven-bundle-plugin
(from Apache Felix). We have detected that the created SBOM can contain several false positives due to the following behaviour (taken from themaven-bundle-plugin
documentation):Let's take this example:
A module has a direct compile scope dependency to
gcc-restclient
. This jar will get embedded into the bundle and is also getting listed in the bom. Thejackson-databind
transitive dependency will not get embedded due to the default behavior ofmaven-bundle-plugin
(see above quote). Still thecyclonedx-maven-plugin
also listsjackson-databind
version 2.9.9 as dependency with scope "required".jackson-databind
in our case is a "provided" scope dependency (deployed and provided in a much higher version than 2.9.9). We setincludeProvidedScope
tofalse
in ourcyclonedx-maven-plugin
configuration.Would it be possible to prevent the creation of such false positives in order to have a trustable bom? Could
cyclonedx-maven-plugin
check the used Embed-Transitive setting ofmaven-bundle-plugin
or could you at least add a new option in your configuration to only check direct dependencies?The text was updated successfully, but these errors were encountered: