-
-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to scan library in Web-INF/ Lib #296
Comments
I don't think that's possible today with the gradle plugin. @prabhu, does cdxgen support this? |
@stevespringett Yes, cdxgen supports https://github.com/CycloneDX/cdxgen/blob/ef453ca771c4481b771f5dcd8db9aaef44025abe/index.js#L897 |
@prabhu My requirement is only to scan jar libraries from build.gradle + the jar libraries which are present in specific path which is not part of build.gradle. I tried using cdxgen also but still it is also not scanning any jar library outside build.gradle. I dont know if I am missing any settings that I have to add in build.gradle to scan jar libraries from a path |
@tech-surajrk Could you share the cdxgen command used? Did you specify |
@prabhu using '-t jar ' - I am able to generate bom but the group name for each component is coming as undefined or blank. Hence Dependency Track is not able to map any cve against the component |
@tech-surajrk What you're describing is a problem that is a bit more complex to solve. Essentially we need a mechanism to match an artifact to its identifier. There are a few techniques.
So at this point, trivy is your best bet. |
I'd like to mention syfts' approach, which uses the filename as well as MANIFEST.MF. It's not perfect but it seems much more accurate than cdxgen, as most jars use the |
@stevespringett - Is there a way to scan the legacy libraries which are present in Web-INF/Lib but not part of build.gradle.
Currently when I use cyclonedx, it generates bom for all the libraries defined in build.gradle but if there is any library not part of build.gradle, it excludes those libraries from BOM
So I want to know if there is any way to define a path in build.grqdle so that cyclonedx will generate bom with libraries that is present in that path? Or is there any other solution that you can recommend?
The text was updated successfully, but these errors were encountered: