Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bad dependency can break BOM generation #467

Open
pvgoddijn opened this issue Feb 19, 2024 · 1 comment
Open

Bad dependency can break BOM generation #467

pvgoddijn opened this issue Feb 19, 2024 · 1 comment

Comments

@pvgoddijn
Copy link

when a dependency has some invalid transitive dependencies it can make the entire process fail

the example pom tries to download things from a defunct netbeans repo and fails generating a bom
(any good dependencies adden wont end up in the bom.json/xml)

I would expect the pluging to emit a warning in such cases, not fail entirely.

example pom:


<?xml version="1.0" encoding="UTF-8"?>
<!--
   Apache Maven 2 POM generated by Apache Ivy
   https://ant.apache.org/ivy/
   Apache Ivy version: 2.5.0 20191020104435
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

  <modelVersion>4.0.0</modelVersion>
  <groupId>our.group</groupId>
  <artifactId>our-artifact</artifactId>
  <packaging>pom</packaging>
  <version>1</version>
  <dependencies>
    <dependency>
      <groupId>org.apache.cxf</groupId>
      <artifactId>cxf-rt-ws-security</artifactId>
      <version>3.6.2</version>
      <scope>compile</scope>
    </dependency>
  </dependencies>
</project>

output:

mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
[INFO] Scanning for projects...
[INFO] 
[INFO] -----------------------< our.group:our-artifact >-----------------------
[INFO] Building our-artifact 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- cyclonedx-maven-plugin:2.7.11:makeAggregateBom (default-cli) @ our-artifact ---
[INFO] CycloneDX: Resolving Dependencies
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10-b140310.1920 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10-b140802.1033 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.11 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/javax/xml/bind/jaxb-api/2.3.0-b161121.1438/jaxb-api-2.3.0-b161121.1438.pom
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/com/sun/istack/istack-commons-runtime/3.0.6/istack-commons-runtime-3.0.6.pom
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/com/sun/xml/fastinfoset/FastInfoset/1.2.14/FastInfoset-1.2.14.pom
[WARNING] An error occurred building dependency graph: Could not collect dependencies: our.group:our-artifact:pom:1
[INFO] CycloneDX: Creating BOM version 1.4 with 0 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): /c/Users/dev/git/crm/build/deploy/target/bom.xml
[INFO]            attaching as our-artifact-1-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): /c/Users/dev/git/crm/build/deploy/target/bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO]            attaching as our-artifact-1-cyclonedx.json
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.379 s
[INFO] Finished at: 2024-02-19T15:44:26+01:00
[INFO] ------------------------------------------------------------------------
@prabhu
Copy link

prabhu commented Apr 18, 2024

Even mvn dependency:tree command is failing for this example. Don't know what magic this plugin could do to get some partial results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants