Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(java): use artifactId and groupId from purl in sbom mode #7007

Closed
DmitriyLewen opened this issue Jun 25, 2024 Discussed in #6990 · 5 comments · Fixed by #7008
Closed

bug(java): use artifactId and groupId from purl in sbom mode #7007

DmitriyLewen opened this issue Jun 25, 2024 Discussed in #6990 · 5 comments · Fixed by #7008
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning
Milestone
v0.53.0

Comments

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Jun 25, 2024
edited
Loading

Description

pom.xml files can contain name field.
name is not always equal to artifactId.

spdx-maven-plugin uses name field (if it exists) as package name field.
So when name != artifactId - we can't correctly detect vulnerabilities for this package.

We don't have problem with CycloneDX, because cyclonedx-maven-plugin uses artifactId as component name field.

Maven packages must use lowercase for artifactId(but there is no such rule for groupId), but maven purl type has no lowercase restrictions - so we can take artifactId and groupId from purl.
This will fix problem with SPDX and we won't see problem with CycloneDX if cyclonedx-maven-plugin updates their logic.

example:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>example.groupId</groupId>
    <artifactId>example-artifactId</artifactId>
    <version>1.0.0</version>

    <name>example-name</name>
    <description>Example</description>


    <build>
        <plugins>
            <plugin>
                <groupId>org.spdx</groupId>
                <artifactId>spdx-maven-plugin</artifactId>
                <!-- please check for updates on https://search.maven.org/search?q=a:spdx-maven-plugin -->
                <version>0.7.3</version>
                <executions>
                    <execution>
                        <id>build-spdx</id>
                        <goals>
                            <goal>createSPDX</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                  <excludedFilePatterns>
                    <excludedFilePattern>*.spdx</excludedFilePattern>
                  </excludedFilePatterns>
                  <!-- See documentation below for additional configuration -->
                </configuration>
            </plugin>

            <plugin>
                <groupId>org.cyclonedx</groupId>
                <artifactId>cyclonedx-maven-plugin</artifactId>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>makeAggregateBom</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

</project>

SPDX package:

  "packages" : [ {
    "SPDXID" : "SPDXRef-gnrtd0",
    "copyrightText" : "NOASSERTION",
    "description" : "Example",
    "downloadLocation" : "NOASSERTION",
    "externalRefs" : [ {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:maven/example.groupId/[email protected]",
      "referenceType" : "purl"
    } ],
    "filesAnalyzed" : true,
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "NOASSERTION",
    "name" : "example-name",
    "packageFileName" : "NOASSERTION",
    "packageVerificationCode" : {
      "packageVerificationCodeValue" : "da39a3ee5e6b4b0d3255bfef95601890afd80709"
    },
    "primaryPackagePurpose" : "LIBRARY",
    "summary" : "Example",
    "versionInfo" : "1.0.0"
  } ],

CycloneDX component:

    "component" : {
      "group" : "example.groupId",
      "name" : "example-artifactId",
      "version" : "1.0.0",
      "description" : "Example",
      "purl" : "pkg:maven/example.groupId/[email protected]?type=jar",
      "type" : "library",
      "bom-ref" : "pkg:maven/example.groupId/[email protected]?type=jar"
    },

Discussed in #6990
@DmitriyLewen DmitriyLewen added kind/bug Categorizes issue or PR as related to a bug. scan/vulnerability Issues relating to vulnerability scanning scan/sbom Issues relating to SBOM labels Jun 25, 2024
@DmitriyLewen DmitriyLewen self-assigned this Jun 25, 2024
@DmitriyLewen
Copy link
Contributor Author

spdx-gradle-plugin doesn't have this problem.
It uses groupId:artifactId as name - https://github.com/spdx/spdx-gradle-plugin/blob/332b9cdde367c86a357bde43100d13e4c674ae6f/example.spdx.json#L474

@DmitriyLewen DmitriyLewen added this to the v0.53.0 milestone Jun 25, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Jun 25, 2024
Merged
6 tasks
@knqyf263
Copy link
Collaborator

we won't see problem with CycloneDX if cyclonedx-maven-plugin updates their logic.

I need some clarification. You said we don't have a problem with cycloned-maven-plugin, but you also said "we won't see problem with CycloneDX IF cyclonedx-maven-plugin updates their logic." Why does cyclonedx-maven-plugin need to update their logic?

@DmitriyLewen
Copy link
Contributor Author

pom.xml may contain name, artifactId and groupId fields.
There is no rule what we should use for component.name field (i mean name or artifactId).

But perhaps I was too safe when I wrote this phrase 😄
I thought that cyclonedx-maven-plugin can may follow suit of spdx-maven-plugin (use name for comment.name and artifactId + groupId in purl).

But i reread docs - The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
Presence of component.group and This will often be a shortened, single name of the component phrase are more indicative of the use artifactId for name.

@knqyf263
Copy link
Collaborator

OK. You mean we won't see any problem with CycloneDX unless cyclonedx-maven-plugin updates its logic.

@DmitriyLewen
Copy link
Contributor Author

right 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning
Projects
None yet
Milestone
v0.53.0
Development

Successfully merging a pull request may close this issue.

fix(sbom): take pkg name from purl for maven pkgs DmitriyLewen/trivy
2 participants
@knqyf263 @DmitriyLewen