CycloneDX
Confusing warning "Dependency tree is partial lacking child nodes."
Steps
-
pom.xml:<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>foo</groupId> <artifactId>bar</artifactId> <packaging>jar</packaging> <version>1.0.0</version> <name>foo</name> <dependencies> <dependency> <groupId>com.mysql</groupId> <artifactId>mysql-connector-j</artifactId> <version>9.0.0</version> <exclusions> <exclusion> <artifactId>protobuf-java</artifactId> <groupId>com.google.protobuf</groupId> </exclusion> </exclusions> </dependency> </dependencies> </project> -
Command:
CDXGEN_DEBUG_MODE=debug PREFER_MAVEN_DEPS_TREE=true cdxgen --fail-on-error --no-include-formulation --no-recurse --output sbom.json --type java
Actual
Output:
Executing 'mvn dependency:tree -DoutputFile=/var/folders/6d/qgj8m4xj4p74tjmrztw8fqb80000gn/T/cdxmvn-VwOjMn/mvn-tree.txt' in /foo ===== WARNINGS ===== [ 'Dependency tree is partial lacking child nodes.' ]
Expected
No warnings.
Notes
- Assuming it's caused by the exclusion of
protobuf, it's a valid situation when the transitive dependency is explicitly excluded by the developer. So the warning is unexpected. - It's unclear what the log tries to protect against.
- The warning lacks information about what is lacking where exactly. So it's difficult to address.
- "partial" should be "partially".
- Version 10.9.11.
@metametadata The particular message has gotten changed.
https://github.com/CycloneDX/cdxgen/blob/8d33fd3d0d1379e74dae173ed0fc78d653fb525b/lib/helpers/validator.js#L226
Let me know if there is a better way to phrase the fact that the dependency tree is partial. The logic to determine this is below:
https://github.com/CycloneDX/cdxgen/blob/8d33fd3d0d1379e74dae173ed0fc78d653fb525b/lib/helpers/utils.js#L12395
Thank you for the reply.
Dependency tree is partial with multiple empty dependsOn attribute
The produced SBOM contains the next code:
{
"ref": "pkg:maven/com.mysql/[email protected]?type=jar",
"dependsOn": []
}
I suppose the empty dependsOn is considered a problem? Why? I'm afraid I don't understand why there should be any warning at all and thus I cannot propose a better phrasing except remarking that:
- It's still unclear from the log why "partial" tree is a problem worth warning about.
- There are no multiple
dependsOnin my case. - "Attribute" should be "attributes".
In my understanding, excluding protobuf from mysql-connector-j is a valid scenario, there should be no warnings about it.
The logic to determine this is below
The formula Math.max(Math.round(componentsCount / 3), 1) is cryptic, e.g. it's unclear why there's a division by 3.
Let's put Maven exclusions aside and consider the next pom.xmls:
-
Project without any dependencies:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>foo</groupId> <artifactId>bar</artifactId> <packaging>jar</packaging> <version>1.0.0</version> <name>foo</name> <dependencies> </dependencies> </project>It produces the warning too, but it's unexpected as it's a valid project.
-
Project with a single dependency:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>foo</groupId> <artifactId>bar</artifactId> <packaging>jar</packaging> <version>1.0.0</version> <name>foo</name> <dependencies> <dependency> <groupId>com.google.protobuf</groupId> <artifactId>protobuf-java</artifactId> <version>4.28.2</version> </dependency> </dependencies> </project>This for sure valid case unexpectedly also produces a warning.
Will improve this. There must be some heuristics to evaluate if the given dependency tree is complete.
Still reproducible (i.e. there's a warning printed unexpectedly) in v10.10.7 for the next valid POMs:
-
Project with a single
software.amazon.awssdk/ec2dep:<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>foo</groupId> <artifactId>bar</artifactId> <packaging>jar</packaging> <version>1.0.0</version> <name>foo</name> <dependencies> <dependency> <groupId>software.amazon.awssdk</groupId> <artifactId>ec2</artifactId> <version>2.27.1</version> </dependency> </dependencies> </project>Similarly reproducible for single deps
software.amazon.awssdk/ec2instanceconnectandsoftware.amazon.awssdk/ecs. -
Project with a single
leiningendep:<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>foo</groupId> <artifactId>bar</artifactId> <packaging>jar</packaging> <version>1.0.0</version> <name>foo</name> <repositories> <repository> <id>clojars</id> <url>https://repo.clojars.org/</url> <snapshots> <enabled>true</enabled> </snapshots> <releases> <enabled>true</enabled> </releases> </repository> </repositories> <dependencies> <dependency> <groupId>leiningen</groupId> <artifactId>leiningen</artifactId> <version>2.11.2</version> </dependency> </dependencies> </project>