[DRAFT] scope required may be another version #578
Conversation
|
I like this proposal: it makes explicit the fact that the version of the dependency at runtime might be different. The case, when the version of a dependency is fixed occurs IMHO only when the dependency is included (statically compiled, shaded, etc.) in the artifact. In all the other situations, you should be able to replace the dependency with a patched version. As discussed in CycloneDX/cyclonedx-maven-plugin#472 there is already a way to express inclusion through $.components.components, so an additional scope might not be necessary. The composition mechanism is more powerful than a scope, since it gives a tree representation of which component is included in which one. A scope would just express the inclusion of a component in the main component. Unfortunately, in practice, I haven't seen SBOMs use the composition mechanism, so we might:
What do you think? |
|
@hboutemy , please start your change request with writing a ticket discussing what the problem is, and why it is relevant. We then can discuss all possible solutions on this very ticket. (A PR w/o a proper issue means somebody skipped the most relevant part: give people a proper understanding of the "problem" and give them the freedom to think about possible solutions freely. Starting with a solution always narrows the view of everybody, and in almost all cases the proposed solution is not the best one.) |
| @@ -938,7 +938,7 @@ | |||
| "excluded" | |||
| ], | |||
| "meta:enum": { | |||
| "required": "The component is required for runtime", | |||
| "required": "The component is required for runtime, or another version.", | |||
There was a problem hiding this comment.
this would make a MUST a MAY.
Spec-wise, i dislike the change. it is a breaking change from OBOM's point of viev:
In an OBOM a required component has a specific version.
with this change, spec-wise, this would be no longer the case.
|
@jkowalleck to be honest, I knew this was a bigger issue than "just a PR", but I could not figure out precisely where/how to report in a concise way (and I'm not used to working on specs...) I don't expect this PR to be merged, as it would seriously change the CycloneDX 1.6 spec: I consider it more as an issue with one very concrete but incomplete approach #321 looks related (just for fun, first comment on this issue is please provide a PR as a PoV = what I did here, with the exact intent :) ) this would add another use case to #321: "as a library supplier with a dynamic language and associated dependency manager (Java with Maven, Gradle or any other, C# with NuGet and DLLs, ...)", I ship a library that requires a component as a dependency: I know the version I will build my library with, but I don't know the runtime version of the dependency that will be selected by my users" I don't get if #321 is only about what Id' call environmental prerequisites (OS, language runtime, ...), or about dependencies defined in build in languages where dependency management has an impact when consuming the consequence is that it may require different solutions, I don't yet have an opinion, but I'm interested to participate in the discussion |
If you continued reading, you would have seen #326. 🤡
👍
👋 |
jkowalleck
changed the title
|
Since @hboutemy and I have talked about this briefly, I would like to clarify that this PR The problem is well summarised in the PR description This happens because there can be dependency conflicts while building a package as there could be two versions of the same dependency. Which version of dependency is selected strongly depends upon the dependency resolution algorithm of the build tool. See this post by my research group and I also summarise it for you here:
Now why I think this topic deserves its own issue is because there is no use-case in #321 that fits this topic:
Dependency is not external. It is part of the dependency tree. Only the version is unknown.
Maven has the concept of Uber jar where the dependency is copied into the jar and shipped along. In that case, we want to know the precise version of dependency. If these dependencies are not bundled into one Uber jar, then this use case fits. Rest of the use-cases do not pertain clearly. However, if it is not clear, I am happy to clarify. |
This is a well-known challenge with package managers. However, I fail to see why this is a specification issue. In CycloneDX, a BOM asserts the identity of components. Changing that has a cascading effect on other things. SBOM creation should not be viewed as a one-time event, but rather a process. This is documented on page 32 of the Authoritative Guide to SBOM and CISA has working groups that are doing similar things. Expecting the output from a build, which relies on a package manager, to have a completely accurate SBOM, is not realistic. What's more realistic is to utilize a process of enrichment and verification which takes the SBOM as input and makes any corrections to it throughout the process, resulting in an accurate component inventory (including the versions of components that are delivered). The enrichment and verification process itself can even be documented in the resulting SBOM for independent verification. |
|
re: #578 (comment)
What you describe is literally the first use case listed in #321. Furthermore, #321 describes in the section "Discussion" why scope is probably not the right choice for a spec-change. Please read #321 again. short version: a non-shipped dependency that the downstream-users need to provide -- exactly what you described in your comment and what this very PR discusses, too.
@algomaster99 , please clarify. |
Thanks for the clarification, @stevespringett !
So I believe this issue would be more suited for |
I disagree. Conflicting dependencies are not "external/extraneous" dependencies. For me, an external dependency would be a Jar file that is loaded at runtime from its URL. This is encapsulated by the last two use-cases.
The other use cases talk about the runtime version and hardware which are both irrelevant. Anyway, @stevespringett 's answer is a clear answer for me that this issue is not a specification problem and something that them SBOM producers like |
I understand on SBOM of an app, or anything that embeds dependencies.
not really: first use case explains about exceptional and advanced case, for example when license of the dependency does not permit embedding One option with CycloneDX <= 1.6 is for SBOMs of libraries in these languages to not list dependencies at all, as they are not embedded (not shipped) as part of library: I fear this will cause frustration |
To be precise, libraries almost never embed dependencies, so SBOM consumers might be more lenient if the component type is The technical reason, why a consumer can not use a different version of the library is not really important. |
This is exactly what this PR vouches for :) |
|
we had a very in-depth discussion with @jkowalleck to analyze our differences: hard to relate here all the good learning we found, would be too big and diverse but @jkowalleck proposed me one surprising option that IMHO solves our problem: declare components without version my first reaction was: it would not be CycloneDX nor purl compliant! (honestly, in my mind, I silently added "stupid" first :) ) I never saw a CycloneDX document with a component without version, but it is definitively what we should have done from the very fist time to represent dependencies of libraries, that are not embedded, not shipped with the library, but to be resolved by consumer, with eventually (often?) a different effective resolved version |
|
That sounds like a great solution. Yes, version is optional. We did this because version is optional in But yes, version is also optional in purl so that we can represent versionless components. I would hope that the majority of components from a Maven build would have a version and its only a few corner cases that would not. To mitigate the "strong reaction" upon first seeing this, you may want to consider using CycloneDX Annotations, as a way to automatically provide commentary as to why a component is versionless. For the annotation, the |
You'll be surprised:
The key reasoning is "shipped or not shipped in the product":
thanks for the good idea: yes, definitively we'll have to do this |
|
notice: the "shipped vs non-shipped in the product" reasoning + version--less existing in npm makes me feel that
|
I think after #321 becomes a part of CDX, tool makes will find a good use case to apply the new "extraneous" flag and version-ranges - for exactly this reason. We might add to the authoritative guide, that a BOM for non-bundled/non-shipped MUST NOT have concrete version, but MAY have a version-range(which may match exactly one version), and MUST be flagged as "extraneous". anyway, here is an example how such a task would look like for node-tools
thanks. :-)
PS: you are not alone. |
That is a great idea, thanks both of you! 💯
We do use versionless components in our CycloneDX VDR, but that is an entirely a different application.
I think we should stress in the specification that version means exact version required by the component, something like the |
no need to stress the spec: honestly the spec is immediate, version means immediate version it's the build tool approach taken by any build tool that has to resolve transitive dependencies and conflicts that makes things more complex and unexpected for people not having really thought precisely about it: it has to be more flexible, or you can't assemble anything |
|
CycloneDX/cyclonedx-maven-plugin#589 created for CycloneDX Maven plugin (I let other build tools create their own issue to implement equivalent logic) |
in OBOM use case, component listed at runtime is very precise
in SBOM use case, in many languages or package/dependency managers, when the dependency tree is calculated at build time, components listed at build time may be replaced at runtime by another version "of the same component": this is particularly true with libraries.
This ability to change the version between build time and runtime makes risk evaluation of libraries not accurate.
This PR proposes to explicit this question of version: perhaps the best solution will be create another scope instead, to differentiate this strict version vs loose version