Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validating Build SBOM in SPDX Format #167

Open
PrachiP29 opened this issue Aug 16, 2024 · 7 comments
Open

Validating Build SBOM in SPDX Format #167

PrachiP29 opened this issue Aug 16, 2024 · 7 comments

Comments

@PrachiP29
Copy link

I worked on https://github.com/wmichalska/CreditManager repository to validate the build SBOM and below are my findings.

  1. There are in total 119 dependencies obtained from the Maven Dependency List/Tree on running the mvn dependency:list command.
  2. The SBOM file that was generated using the command mvn spdx:createSPDX resulted in total 117 dependencies. Out of these four dependencies couldn’t be obtained directly from either the Maven central repository or the dependency list.
  3. Also, two dependencies from the dependency list do not match with the SBOM file – spring-jcl, spring-test.
  4. The dependencies- “JSON Small and Fast Parser”, “AssertJ fluent assertion”, “Spring Data Core”, “Java Annotation Indexer” were present in SBOM but not directly present in the dependency list or Maven central Repo.
  5. There are some other dependencies that are common in both Dependency List and SBOM but the direct link to those dependencies from the POM dependencies are not present. Below is the list of those dependencies-
    byte-buddy-agent, objenesis, android-json, spring-jdbc, javassist, dom4j, txw2, istack-commons-runtime, spring-data-commons, spring-orm, spring-tx, attoparser, thymeleaf-extras-java8time, jakarta.el

If you have any inputs to explain the differences, please do advise. Thanks in advance.

@goneall
Copy link
Member

goneall commented Aug 22, 2024

I cloned the above mentioned repo and ran mvn dependency:tree and mvn spdx:createSPDX and ended up with the same results. Both produced 119 dependencies.

Attached are 3 files - the output of each tool + a CSV with sorted comparisons of the package level information.
[DepCompare.csv]
deptree.txt
spdx-deps.txt
(https://github.com/user-attachments/files/16719702/DepCompare.csv)

@goneall
Copy link
Member

goneall commented Aug 22, 2024

I worked on https://github.com/wmichalska/CreditManager repository to validate the build SBOM and below are my findings.

  1. There are in total 119 dependencies obtained from the Maven Dependency List/Tree on running the mvn dependency:list command.
  2. The SBOM file that was generated using the command mvn spdx:createSPDX resulted in total 117 dependencies. Out of these four dependencies couldn’t be obtained directly from either the Maven central repository or the dependency list.

On my local machine, I was able to get all 119 in the SPDX run

  1. Also, two dependencies from the dependency list do not match with the SBOM file – spring-jcl, spring-test.
    These matched on my run
  2. The dependencies- “JSON Small and Fast Parser”, “AssertJ fluent assertion”, “Spring Data Core”, “Java Annotation Indexer” were present in SBOM but not directly present in the dependency list or Maven central Repo.

I didn't verify this - but it looks like the same results from the mvn:tree command and the SPDX command

  1. There are some other dependencies that are common in both Dependency List and SBOM but the direct link to those dependencies from the POM dependencies are not present. Below is the list of those dependencies-
    byte-buddy-agent, objenesis, android-json, spring-jdbc, javassist, dom4j, txw2, istack-commons-runtime, spring-data-commons, spring-orm, spring-tx, attoparser, thymeleaf-extras-java8time, jakarta.el

Both tools will generate indirect dependencies

If you have any inputs to explain the differences, please do advise. Thanks in advance.

@goneall
Copy link
Member

goneall commented Aug 22, 2024

Note that PR #152 changes the implementation of the dependency discovery to use the same mechanism as mvn dependency:tree so the results should be the same.

@PrachiP29
Copy link
Author

Hi @goneall, this is satisfactory. But I still have an unanswered question. The below listed dependencies do not have any direct link from the dependencies present in the POM file. So, my question is, what reference are these dependencies using to show up in the SBOM file as the POM doesn't include the artifact IDs for all of these.

. There are some other dependencies that are common in both Dependency List and SBOM but the direct link to those dependencies from the POM dependencies are not present. Below is the list of those dependencies-
byte-buddy-agent, objenesis, android-json, spring-jdbc, javassist, dom4j, txw2, istack-commons-runtime, spring-data-commons, spring-orm, spring-tx, attoparser, thymeleaf-extras-java8time, jakarta.el

Both tools will generate indirect dependencies

@goneall
Copy link
Member

goneall commented Aug 26, 2024

Hi @goneall, this is satisfactory. But I still have an unanswered question. The below listed dependencies do not have any direct link from the dependencies present in the POM file. So, my question is, what reference are these dependencies using to show up in the SBOM file as the POM doesn't include the artifact IDs for all of these.

I didn't look at all of these, but for the first few, they all appear to be indirect dependencies of dependencies declared in the POM file.

For example - byte-buddy-agent is an indirect dependency if the following declared dependency:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

The full dependency graph for this can be found in both the SBOM by tracing back the dependency information, or (more easily) from the dependency tree output. The dependency tree output related to byte-buddy-agent is:

[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.4.5:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.4.5:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.4.5:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.3:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:1.2:test
[INFO] |  |        \- org.ow2.asm:asm:jar:5.0.4:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] |  +- org.assertj:assertj-core:jar:3.18.1:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.7.1:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.7.1:test
[INFO] |  |  |  +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  \- org.junit.platform:junit-platform-commons:jar:1.7.1:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.7.1:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.7.1:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.7.1:test
[INFO] |  +- org.mockito:mockito-core:jar:3.6.28:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.10.22:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.10.22:test

@PrachiP29
Copy link
Author

Okay, actually I checked for "attoparser" on the maven central repo and found that this particular one comes from a different org, org.attoparser. But I couldn't find the indirect link in the artifact IDs present in POM.

@goneall
Copy link
Member

goneall commented Sep 7, 2024

@PrachiP29 - Does running mvn dependency:tree on your project yield the same results as the SPDX Maven plugin?

If so, I suggest posting your question to the Maven Dependency Tree plugin community. This library make use of the same code.

If you're seeing results which are different, then I can look into the SPDX Maven plugin implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants