Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential missing data when classifiers are added to dependencies #164

Open
loosebazooka opened this issue Mar 15, 2024 · 1 comment
Open

Potential missing data when classifiers are added to dependencies #164

loosebazooka opened this issue Mar 15, 2024 · 1 comment

Comments

@loosebazooka
Copy link

For a pom like with multiple references to the same dependency with different classifiers

  • io.netty:netty-resolver-dns-native-macos:4.1.107.Final:osx-aarch_64
  • io.netty:netty-resolver-dns-native-macos:4.1.107.Final:osx-x86_64
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.mycompany.app</groupId>
  <artifactId>my-app</artifactId>
  <packaging>jar</packaging>
  <version>1.0-SNAPSHOT</version>
  <name>my-app</name>
  <url>http://maven.apache.org</url>
  <dependencies>
    <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty-resolver-dns-native-macos</artifactId>
      <version>4.1.107.Final</version>
      <classifier>osx-aarch_64</classifier>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty-resolver-dns-native-macos</artifactId>
      <version>4.1.107.Final</version>
      <classifier>osx-x86_64</classifier>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>3.8.1</version>
      <scope>test</scope>
    </dependency>
  </dependencies>
  <build>
    <plugins>
      <plugin>
        <groupId>org.spdx</groupId>
        <artifactId>spdx-maven-plugin</artifactId>
        <!-- please check for updates on https://search.maven.org/search?q=a:spdx-maven-plugin -->
        <version>0.6.5</version>
        <executions>
            <execution>
                <id>build-spdx</id>
                <goals>
                    <goal>createSPDX</goal>
                </goals>
            </execution>
        </executions>
        <configuration>
          <excludedFilePatterns>
            <excludedFilePattern>*.spdx</excludedFilePattern>
          </excludedFilePatterns>
          <!-- See documentation below for additional configuration -->
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>

The classifier information is lost on the generated spdx sbom. The end result is two entries with the same netty reference.

{
    "SPDXID" : "SPDXRef-gnrtd11",
    "copyrightText" : "UNSPECIFIED",
    "description" : "Netty is an asynchronous event-driven network application framework for\n    rapid development of maintainable high performance protocol servers and\n    clients.",
    "downloadLocation" : "NOASSERTION",
    "filesAnalyzed" : false,
    "homepage" : "https://netty.io/netty-resolver-dns-native-macos/",
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "Apache-2.0",
    "name" : "Netty/Resolver/DNS/Native/MacOS",
    "originator" : "Organization:The Netty Project",
    "summary" : "Netty is an asynchronous event-driven network application framework for\n    rapid development of maintainable high performance protocol servers and\n    clients.",
    "versionInfo" : "4.1.107.Final"
  }, {
    "SPDXID" : "SPDXRef-gnrtd0",
    "copyrightText" : "UNSPECIFIED",
    "description" : "Netty is an asynchronous event-driven network application framework for\n    rapid development of maintainable high performance protocol servers and\n    clients.",
    "downloadLocation" : "NOASSERTION",
    "filesAnalyzed" : false,
    "homepage" : "https://netty.io/netty-resolver-dns-native-macos/",
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "Apache-2.0",
    "name" : "Netty/Resolver/DNS/Native/MacOS",
    "originator" : "Organization:The Netty Project",
    "summary" : "Netty is an asynchronous event-driven network application framework for\n    rapid development of maintainable high performance protocol servers and\n    clients.",
    "versionInfo" : "4.1.107.Final"
  }

The classifier information is lost. This is related to spdx/spdx-gradle-plugin#115 on the gradle plugin side which really does not handle this very gracefully.
@loosebazooka loosebazooka mentioned this issue Mar 15, 2024
Open
@goneall
Copy link
Member

goneall commented Mar 15, 2024

Thanks @loosebazooka for the analysis and example. I suspected there may be an issue with this scenario.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goneall @loosebazooka