-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maven versions still blank in syft output when using specific search context #3207
Comments
It looks like the problem is that the command only allows syft access to the
If you're interested in just the jaxrs-base-server, then this is probably too many packages...
There are two ways to deal with this:
Using the exclude flag:
This is not ideal, since it's brittle as your repo changes over time... but it does work. There is probably a way to do this with a small bash script / find command:
The this list could be placed into a syfr config for continual reference: # exclude.yaml
exclude:
- ./cli/cli-core
- ./cli/cli-debug
- ./cli/cli-probe-server
- ./cli
- ./configurator
- ./event-sources/event-source-file
- ./event-sources/event-source-kafka
- ./event-sources/event-sources-core
- ./event-sources
- ./jwt-auth-common
- ./live-reporter
- ./observability-core
- ./projector-driver
- ./projectors-core
|
@wagoodman Thanks for the initial analysis, have updated the issue title based on that |
I was writing this response concurrently to @wagoodman's, so apologies if there's duplicate info. As noted, cloning that repo, and running syft on the entire directory ( One solution is to provide the necessary Maven context to Syft by running a
|
Sorry no I haven't looked at this again, this got pushed down my queue by other stuff As it turned out we didn't need to use syft at all for our use case as we're already generating CycloneDX BOMs directly from Maven and could just pass those into grype directly |
What happened:
Trying to use
syft
to generate a SBOM from a Mavenpom.xml
still does not correctly detect some dependency versions despite recent improvements from #2769In particular this seems to be triggered when a dependency is declared with a version in
<dependencyManagement>
(often in a parentpom.xml
) and then declared without a version in a child modulespom.xml
where that dependency is actually being consumedFor example using the repository https://github.com/telicent-oss/smart-caches-core
What you expected to happen:
All the dependencies should have their versions correctly detected since they are all declared in the
<dependencyManagement>
section of the top levelpom.xml
in that repository.Steps to reproduce the issue:
Environment:
Output of
syft version
:OS (e.g:
cat /etc/os-release
or similar): macOS VenturaThe text was updated successfully, but these errors were encountered: