Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: gradle component analsyis duplicates artifacts in sbom #130

Merged
merged 1 commit into from
Apr 30, 2024
Merged

fix: gradle component analsyis duplicates artifacts in sbom #130

merged 1 commit into from
Apr 30, 2024

Conversation

zvigrinberg
Copy link
Collaborator

Description

For gradle component analysis, if in manifest an artifact is specified twice, once with version and second time without version, then it's generated like that in the sbom , which is a duplicate ( the fix filtering out the artifact that doesn't contain version)

Checklist

  • I have followed this repository's contributing guidelines.
  • I will adhere to the project's code of conduct.

Additional information

build.gradle:

dependencies {
    implementation "log4j:log4j:1.2.17"
    implementation group: 'log4j', name: 'log4j'
}

generated sbom

{

     {
            "group": "log4j",
            "name": "log4j",
            "version": "1.2.17",
            "purl": "pkg:maven/log4j/log4j@1.2.17",
            "type": "library",
            "bom-ref": "pkg:maven/log4j/log4j@1.2.17"
       },
       {
            "group": "log4j",
            "name": "log4j",
            "purl": "pkg:maven/log4j/log4j",
            "type": "library",
            "bom-ref": "pkg:maven/log4j/log4j"
       }
}

the generated sbom for component analysis should only contain the log4j with the version, and with subjected fix it becomes as required:

{

     {
            "group": "log4j",
            "name": "log4j",
            "version": "1.2.17",
            "purl": "pkg:maven/log4j/log4j@1.2.17",
            "type": "library",
            "bom-ref": "pkg:maven/log4j/log4j@1.2.17"
       }
 }

@zvigrinberg
fix: gradle component analsyis duplicates artifacts in sbom
bc07607 
Signed-off-by: Zvi Grinberg <zgrinber@redhat.com>
@zvigrinberg
Copy link
Collaborator Author

skipped IT for golang and approve this PR , as they are temporary not working due to an issue in EXHORT Backend ( regardless of which packages are in the go.mod manifest ( vulnerable or not), exhort doesn't returns vulnerability data.

@zvigrinberg zvigrinberg merged commit 45a6bf2 into main Apr 30, 2024
3 of 5 checks passed
@zvigrinberg zvigrinberg deleted the hotfix/fix-gradle-ca-no-ver branch April 30, 2024 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@zvigrinberg