cyclonedx-core-java icon indicating copy to clipboard operation
cyclonedx-core-java copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Incorrect (empty) tool entry may appear in SBOMs if project also uses a plugin which uses org.eclipse.jgit

Open HughG opened this issue 1 year ago • 2 comments

I have successfully created SBOMs from several in-house projects (can't share the source, sorry) using versions 1.7.3 and 1.7.4 of the org.cyclonedx.bom plugin. However, in one project the tools section of the SBOM contains a single entry with no properties, like this.

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.4",
  "serialNumber" : "urn:uuid:9ea71a0d-3dda-40a2-99c2-d889408d03e3",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2023-09-07T20:17:24Z",
    "tools" : [
      { }
    ],
...
  }
}

whereas in other projects it looks like this

...
    "tools" : [
      {
        "vendor" : "CycloneDX",
        "name" : "cyclonedx-gradle-plugin",
        "version" : "1.7.4"
      }
    ],
...

I don't understand the spec well enough to know if this is invalid, strictly speaking, but it's clearly not what's intended. In particular it causes https://github.com/CycloneDX/sbom-comparator to fail to compare the files, unless I manually fix or remove the incorrect entry.

Through debugging the Gradle build process, I believe the problem is that the problem project also uses com.netflix.nebula:gradle-info-plugin:9.2.0 and org.ajoberstar.grgit:grgit-gradle:4.1.0, which indirectly pulls in JAR org.eclipse.jgit:org.eclipse.jgit:6.7.0.202309050840-r. That JAR also contains a file plugin.properties at the top level of its resources folder, which of course has a completely different set of properties.

Which plugin.properties is found first on the classpath appears to depend (in my case) on the hash which Gradle computes for the JAR because that's the leftmost difference in the paths to the JARs.

I think the solution to this is that the CycloneDX plugin should move its plugin.properties to a namespaced sub-folder within the JAR, e.g., resources/org/cyclonedx/gradle/plugin.properties (or maybe a further sub-level if you have other plugins/JARs under the org.cyclonedx.gradle namespace which might have a plugin.properties.

Ideally also the JGit JAR would not list resources at the top level, but that's not something the maintainers of this plugin can fix.

HughG avatar Sep 08 '23 13:09 HughG

I have raised a corresponding issue for the JGit project, at https://bugs.eclipse.org/bugs/show_bug.cgi?id=582394

HughG avatar Sep 08 '23 13:09 HughG

I raised this in the wrong project, sorry! Moved to https://github.com/CycloneDX/cyclonedx-gradle-plugin/issues/336.

HughG avatar Sep 18 '23 11:09 HughG

Closing this issue since it was related to the Gradle plugin and not this library, also, it was already fixed there

mr-zepol avatar Sep 08 '24 17:09 mr-zepol