Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect (empty) tool entry may appear in SBOMs if project also uses a plugin which uses org.eclipse.jgit #325

Open
HughG opened this issue Sep 8, 2023 · 2 comments
Open

Incorrect (empty) tool entry may appear in SBOMs if project also uses a plugin which uses org.eclipse.jgit #325

HughG opened this issue Sep 8, 2023 · 2 comments

Comments

@HughG
Copy link

HughG commented Sep 8, 2023

I have successfully created SBOMs from several in-house projects (can't share the source, sorry) using versions 1.7.3 and 1.7.4 of the org.cyclonedx.bom plugin. However, in one project the tools section of the SBOM contains a single entry with no properties, like this.

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.4",
  "serialNumber" : "urn:uuid:9ea71a0d-3dda-40a2-99c2-d889408d03e3",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2023-09-07T20:17:24Z",
    "tools" : [
      { }
    ],
...
  }
}

whereas in other projects it looks like this

...
    "tools" : [
      {
        "vendor" : "CycloneDX",
        "name" : "cyclonedx-gradle-plugin",
        "version" : "1.7.4"
      }
    ],
...

I don't understand the spec well enough to know if this is invalid, strictly speaking, but it's clearly not what's intended. In particular it causes https://github.com/CycloneDX/sbom-comparator to fail to compare the files, unless I manually fix or remove the incorrect entry.

Through debugging the Gradle build process, I believe the problem is that the problem project also uses com.netflix.nebula:gradle-info-plugin:9.2.0 and org.ajoberstar.grgit:grgit-gradle:4.1.0, which indirectly pulls in JAR org.eclipse.jgit:org.eclipse.jgit:6.7.0.202309050840-r. That JAR also contains a file plugin.properties at the top level of its resources folder, which of course has a completely different set of properties.

Which plugin.properties is found first on the classpath appears to depend (in my case) on the hash which Gradle computes for the JAR because that's the leftmost difference in the paths to the JARs.

I think the solution to this is that the CycloneDX plugin should move its plugin.properties to a namespaced sub-folder within the JAR, e.g., resources/org/cyclonedx/gradle/plugin.properties (or maybe a further sub-level if you have other plugins/JARs under the org.cyclonedx.gradle namespace which might have a plugin.properties.

Ideally also the JGit JAR would not list resources at the top level, but that's not something the maintainers of this plugin can fix.
@HughG
Copy link
Author

HughG commented Sep 8, 2023
edited

I have raised a corresponding issue for the JGit project, at https://bugs.eclipse.org/bugs/show_bug.cgi?id=582394

@HughG HughG mentioned this issue Sep 18, 2023
Open
@HughG
Copy link
Author

HughG commented Sep 18, 2023

I raised this in the wrong project, sorry! Moved to CycloneDX/cyclonedx-gradle-plugin#336.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@HughG