Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jenkins-core with minimal version is included in bom.json when running makeAggregateBom for a Jenkins plugin #588

Open
Bruceliu-rs opened this issue Dec 17, 2024 · 0 comments

Comments

@Bruceliu-rs
Copy link

Bruceliu-rs commented Dec 17, 2024

I am trying creating bom.json for many Jenkins plugins, but I found the generated bom.json includes jenkins-core dependency with the minimal version declared in the plugin's pom.xml, here is a sample for artifactory plugin https://github.com/jenkinsci/artifactory-plugin.
My Jenkins version(2.479.2) is much higher than the minimal version(2.263.1). After the bom.json is uploaded into DT, its risk score is very high because of this very old 2.263.1 dependency, which is a false alarm, because my Jenkins has upgraded to 2.479.2. Any way to exclude this dependency, I tried -DexcludeArtifactId, but the Jenkins-core artifactid didn't exist in the pom.xml.

Here is the version defined in pom.xml.
...


<jenkins.version>2.263.1</jenkins.version>
<java.level>8</java.level>
...

Here is the dependency generated in bom.json
......
"type" : "library",
"bom-ref" : "pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.1?type=jar",
"group" : "org.jenkins-ci.main",
"name" : "jenkins-core",
"version" : "2.263.1",
"description" : "Jenkins core code and view files to render HTML.",
......

I manually add this plugin into the artifactory plugin's pom.xml.
......

    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.9.1</version>
        <executions>
            <execution>
                <phase>package</phase>
                <goals>
                    <goal>makeAggregateBom</goal>
                </goals>
            </execution>
        </executions>
    </plugin>

......
Did I do anything wrong?

Thanks. Any comments are welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant