-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What if a Maven module produces multiple variants? #574
Comments
yes, this is a variant of shading #472 |
I am wondering, how these SBOMs for alternative artifact version can be used in practice. The artifact with the
|
it's a reality of the output: makes sense to describe this reality and final question: all that is from a provider point of view, describing in more detail the ouput of his release |
Indeed this particular artifact should not be used as a dependency in a Maven project, but as a protoc plugin in for example
This is what we're discussing in #472: the SBOM for the 'regular' artifact describes its 'regular' dependencies, while the SBOM for the 'assembly' artifact should somehow encode the fact that it 'embeds' those dependencies rather than just referring to them.
One use case for SBOMs is more accurate 'security scanning', where some security scanner tool uses the SBOM information to put together information on what components are on a system, and match that to open security advisories. Suppose the codegen project depends on a 'vulnerable' version of some library. If the 'regular' codegen artifact is part of the users' system, the scanner should not necessarily flag this 'vulnerable' dependency, as it may have been overridden by whatever project depended on the 'regular' codegen artifact. However, when the 'assembly' codegen artifact is part of the users' system, the scanner should use the information (directly or indirectly) from the SBOM of that artifact to learn that the vulnerable code is actually inside the jar, regardless of further context. |
How should we deal with the scenario where a maven module produces several types of output, for example both a 'regular' jar (with regular dependencies) and a 'fat' jar (with some of the dependencies embedded into the jar)?
This question came up in #472 (comment). This situation can be found for example in https://repo1.maven.org/maven2/org/apache/pekko/pekko-grpc-codegen_3/1.1.0/ : it has both the
-assembly.jar
and a regular.jar
.I'd say the main choice is between describing both the 'regular' and the 'fat' artifact in one SBOM, or to creating separate SBOMs for each artifact.
From the perspective of "how are SBOMs used?", I think there are typically two classes of consumers of SBOMs for a project: the maintainers of the project themselves, and users who have the project somewhere in the dependency tree of their systems. The latter category will probably start from a particular artifact that they encounter on their systems, and be interested in specifically the SBOM for that artifact. So I think they would prefer it if there were a separate SBOM for each artifact. For the maintainers of the project I could see use cases where they'd like to analyze the combined metadata for all their artifacts, but for that I don't see a particularly strong preference for 'one big SBOM' over 'SBOM per artifact'.
So overall I think it'd make most sense to have a separate SBOM per artifact - i.e. for https://repo1.maven.org/maven2/org/apache/pekko/pekko-grpc-codegen_3/1.1.0/ generate both a
pekko-grpc-codegen_3-1.1.0-cyclonedx.json
and apekko-grpc-codegen_3-1.1.0-assembly-cyclonedx.json
.The text was updated successfully, but these errors were encountered: