Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[sbom] BOM is calculated multiple times for the same unit #3911

Closed
laeubi opened this issue Jun 1, 2024 · 3 comments · Fixed by #3914
Closed

[sbom] BOM is calculated multiple times for the same unit #3911

laeubi opened this issue Jun 1, 2024 · 3 comments · Fixed by #3914
Labels
sbom Software Bill of Materials

Comments

@laeubi
Copy link
Member

laeubi commented Jun 1, 2024
edited
Loading

While debugging some problems with changes in Tycho I noticed the following message:

[INFO] --- cyclonedx:2.7.9:makeBom (default) @ repository.eclipse-repository ---
[INFO] CycloneDX: Resolving Dependencies
[INFO] Cannot use cached value for MavenProject: tycho-demo:repository.eclipse-repository:1.0.0-SNAPSHOT @ /home/christoph/git/laeubi/tycho/tycho-its/projects/sbom/repository/.polyglot.category.xml because project artifact has changed, update is forced
[WARNING] Unknown p2 repository for artifact: example.feature
[ERROR] Unable to calculate BOM for: org.eclipse.update.feature,example.feature,1.0.0.today
[WARNING] Unknown p2 repository for artifact: example.feature
[ERROR] Unable to calculate BOM for: org.eclipse.update.feature,example.feature,1.0.0.today
[INFO] CycloneDX: Creating BOM version 1.4 with 8 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): /home/christoph/git/laeubi/tycho/tycho-its/projects/sbom/repository/target/bom.xml
[INFO]            attaching as repository.eclipse-repository-1.0.0-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): /home/christoph/git/laeubi/tycho/tycho-its/projects/sbom/repository/target/bom.json
[INFO]            attaching as repository.eclipse-repository-1.0.0-SNAPSHOT-cyclonedx.json
[INFO] ------------------------------------------------------------------------

As one can see error/warning printed twice, so it seems the bom is also computed twice for org.eclipse.update.feature!

@ptziegler do you like to take a look? It might not be a problem for small examples, but with larger products/sites it can easily become a performance bottleneck.
@laeubi laeubi changed the title BOM is calculated multiple times for the same unit [sbom] BOM is calculated multiple times for the same unit Jun 1, 2024
@laeubi laeubi added the sbom Software Bill of Materials label Jun 1, 2024
@ptziegler
Copy link
Contributor

ptziegler commented Jun 1, 2024
edited
Loading

Unless I'm missing something, you're talking about CycloneDX generating both an XML and a JSON file?

Edit:
Wait, you're probably talking about the PURL for example.feature being calculated twice...

@laeubi
Copy link
Member Author

laeubi commented Jun 1, 2024

Wait, you're probably talking about the PURL for example.feature being calculated twice...

yes :-)

@ptziegler
Copy link
Contributor

To briefly describe what's happening:

Each IU is listed twice in the SBOM. Once as a dependency of the current artifact (repository) and once as a separate component (example.feature) with its own dependencies. The IU should effectively be unmodifiable within the same reactor build, so I'll see if one can simply cache the BOM representation.

Example:

<dependencies>
  <dependency ref="pkg:maven/tycho-demo/repository.eclipse-repository@1.0.0-SNAPSHOT?type=eclipse-repository">
    <dependency ref="pkg:p2/example.feature@1.0.0.today?classifier=org.eclipse.update.feature&amp;location=https%3A%2F%2Fwww.example.p2.repo%2F"/>
    <dependency ref="pkg:p2/example.plugin@1.0.0.today?classifier=osgi.bundle&amp;location=https%3A%2F%2Fwww.example.p2.repo%2F"/>
  </dependency>
  <dependency ref="pkg:p2/example.plugin@1.0.0.today?classifier=osgi.bundle&amp;location=https%3A%2F%2Fwww.example.p2.repo%2F">
    <dependency ref="pkg:p2/org.eclipse.core.databinding@1.13.100.v20230708-0916?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
    <dependency ref="pkg:p2/org.eclipse.core.databinding.beans@1.10.100.v20230708-0916?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
    <dependency ref="pkg:p2/org.eclipse.core.databinding.observable@1.13.100.v20230708-0916?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
    <dependency ref="pkg:p2/org.eclipse.core.databinding.property@1.10.100.v20230708-0916?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
  </dependency>
  <dependency ref="pkg:p2/org.eclipse.core.databinding@1.13.100.v20230708-0916?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F">
    <dependency ref="pkg:p2/org.eclipse.equinox.common@3.18.200.v20231106-1826?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
    <dependency ref="pkg:p2/org.eclipse.osgi@3.18.600.v20231110-1900?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
  </dependency>
  <dependency ref="pkg:p2/org.eclipse.core.databinding.beans@1.10.100.v20230708-0916?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
  <dependency ref="pkg:p2/org.eclipse.core.databinding.observable@1.13.100.v20230708-0916?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
  <dependency ref="pkg:p2/org.eclipse.core.databinding.property@1.10.100.v20230708-0916?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
  <dependency ref="pkg:p2/org.eclipse.equinox.common@3.18.200.v20231106-1826?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
  <dependency ref="pkg:p2/org.eclipse.osgi@3.18.600.v20231110-1900?classifier=osgi.bundle&amp;location=https%3A%2F%2Fdownload.eclipse.org%2Freleases%2F2023-12%2F"/>
  <dependency ref="pkg:p2/example.feature@1.0.0.today?classifier=org.eclipse.update.feature&amp;location=https%3A%2F%2Fwww.example.p2.repo%2F"/>
</dependencies>

ptziegler added a commit to ptziegler/tycho that referenced this issue Jun 1, 2024
@ptziegler
Calculate BOM representation for each IU only once
df5fb19 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves eclipse-tycho#3911
@ptziegler ptziegler mentioned this issue Jun 1, 2024
Merged
ptziegler added a commit to ptziegler/tycho that referenced this issue Jun 1, 2024
@ptziegler
Calculate BOM representation for each IU only once
47a6e4e 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves eclipse-tycho#3911
ptziegler added a commit to ptziegler/tycho that referenced this issue Jun 1, 2024
@ptziegler
Calculate BOM representation for each IU only once
76d6dbb 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves eclipse-tycho#3911
ptziegler added a commit to ptziegler/tycho that referenced this issue Jun 2, 2024
@ptziegler
Calculate BOM representation for each IU only once
6a51647 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves eclipse-tycho#3911
ptziegler added a commit to ptziegler/tycho that referenced this issue Jun 2, 2024
@ptziegler
Calculate BOM representation for each IU only once
bccc817 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves eclipse-tycho#3911
ptziegler added a commit to ptziegler/tycho that referenced this issue Jun 2, 2024
@ptziegler
Calculate BOM representation for each IU only once
75105f5 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves eclipse-tycho#3911
laeubi pushed a commit that referenced this issue Jun 2, 2024
@ptziegler @laeubi
Calculate BOM representation for each IU only once
065819f 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves #3911
eclipse-tycho-bot pushed a commit that referenced this issue Jun 2, 2024
@ptziegler
Calculate BOM representation for each IU only once
431fcdf 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves #3911

(cherry picked from commit 065819f)
eclipse-tycho-bot pushed a commit that referenced this issue Jun 2, 2024
@ptziegler @eclipse-tycho-bot
Calculate BOM representation for each IU only once
3b7a9f4 
The BOM representation is currently calculated twice for each artifact.
Within a reactor build, such IUs should always produce the same BOM
representation and should therefore be cached.

Resolves #3911

(cherry picked from commit 065819f)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sbom Software Bill of Materials
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Calculate BOM representation for each IU only once ptziegler/tycho
2 participants
@laeubi @ptziegler