Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

don't generate invalid SBOM on blank license: ignore instead #573

Merged
merged 1 commit into from
Nov 1, 2024
Merged

don't generate invalid SBOM on blank license: ignore instead #573

merged 1 commit into from
Nov 1, 2024

Conversation

fupgang
Copy link
Contributor

@fupgang fupgang commented Oct 30, 2024

Ignoring license information with empty name and url (in pom.xml), for example:

    <licenses>
        <license>
            <name/>
            <url/>
            <distribution/>
        </license>
    </licenses>

As #382 states, processing such incomplete license information produced invalid SBOMs.

@fupgang
fixes CycloneDX#382
cf9ed6d 
License information with empty name and url (in pom.xml) are ignored.

Signed-off-by: fupgang <75629871+fupgang@users.noreply.github.com>
@fupgang fupgang mentioned this pull request Oct 30, 2024
Closed
@hboutemy hboutemy merged commit 0bef0d0 into CycloneDX:master Nov 1, 2024
4 checks passed
@hboutemy
Copy link
Contributor

hboutemy commented Nov 1, 2024

thank you

@hboutemy hboutemy changed the title fixes CycloneDX/cyclonedx-maven-plugin#382 don(t generate invalid SBOM on blank license: ignore instead Nov 1, 2024
@hboutemy hboutemy changed the title don(t generate invalid SBOM on blank license: ignore instead don't generate invalid SBOM on blank license: ignore instead Nov 12, 2024
@fupgang
Copy link
Contributor Author

fupgang commented Nov 18, 2024

@hboutemy, did you already schedule a release containing this fix?

As said in #382 (comment), using the openapi-generator we unfortunately produce a lot of invalid SBOMs at the moment.

@hboutemy hboutemy mentioned this pull request Nov 28, 2024
Closed
@crimsonvspurple
Copy link

crimsonvspurple commented Nov 29, 2024
edited
Loading

I tested v2.9.1 and empty licenses line is still there.

  <!-- https://mvnrepository.com/artifact/net.jcip/jcip-annotations -->
        <dependency>
            <groupId>net.jcip</groupId>
            <artifactId>jcip-annotations</artifactId>
            <version>1.0</version>
        </dependency>

@fupgang
Copy link
Contributor Author

fupgang commented Nov 29, 2024

I tried the following example which looks good to me:

A simple pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.example</groupId>
  <artifactId>my-artifact</artifactId>
  <version>0.1.0</version>

  <dependencies>
          <dependency>
            <groupId>net.jcip</groupId>
            <artifactId>jcip-annotations</artifactId>
            <version>1.0</version>
        </dependency>
  </dependencies>
</project>

I created sboms with the latest (2.9.1) and former version (2.9.0) of the cyclonedx-maven-plugin:

mvn org.cyclonedx:cyclonedx-maven-plugin:2.9.1:makeBom -DoutputName=bom-2.9.1
mvn org.cyclonedx:cyclonedx-maven-plugin:2.9.0:makeBom -DoutputName=bom-2.9.0

The BOMs differ concerning the license:

grafik

@crimsonvspurple
Copy link

crimsonvspurple commented Dec 2, 2024
edited
Loading

@fupgang You are right. I made an oopsie when testing on my end. Thank you for your hard work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fupgang @hboutemy @crimsonvspurple