cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Question: include mvn plugins in the BOM?

Open wvdhaute opened this issue 4 years ago • 5 comments

Would it not make sense to have an option to include any mvn plugin found in the exported BOM?

In the end, these could also potentially have security issues to be checked.

For example if the maven-release-plugin or the maven-compiler-plugin gets breached or has a flaw, it can modify the payload of all jars/wars/ears/...

wvdhaute avatar Jun 16 '20 07:06 wvdhaute

It's an interesting idea. I was thinking about this type of use case the other day. As anything used could potentially have implications for supply chain security.

But I couldn't come up with a reasonable boundary. Do you stop at plugins? Or do you include the compiler used, the CI/CD tools, operating systems, etc.

I think it makes more sense for a BOM to represent the components that are put together. Not necessarily what is used to put them together.

coderpatros avatar Jun 16 '20 11:06 coderpatros

I understand your point, where do you stop.

My train of thought was that this is the "easiest" place to go one step further. Certain versions of plugins that come implicitly with the mvn version that has built the artifact(s), are harder to resolve outside of the mvn build.

Indeed this then probably also should include the OS, JVM, ... the mvn process ran on

Unsure what an alternative way would be to close this gap

wvdhaute avatar Jun 16 '20 11:06 wvdhaute

I don't know enough about the maven ecosystem to have a strong opinion on it. My thoughts were more about the .net ecosystem that I normally work in.

But my thoughts are that it needs to be tracked outside of the BOM produced for a particular project. Personally, I'm starting to look at the tools my team uses. With the plan to generate BOMs for them. Which is much easier if all your tooling is open source. But will still be tricky to track particular versions and which are actually in use. Especially across lots of projects which could have slightly different SDK versions, etc.

It will be good to get @stevespringett take on this.

coderpatros avatar Jun 16 '20 11:06 coderpatros

Yes, I'm in favor of having an option (disabled by default) which includes the Maven plugins and Maven itself as components within the BOM.

This aligns to OWASP SCVS 3.16 https://owasp-scvs.gitbook.io/scvs/v3-build-environment

SCVS 1.0 will likely be released in the next 30 days.

CycloneDX has an optional element in a component called scope with the following possible values. If not specified, required is assumed.

  • required
  • optional
  • excluded

For Maven plugins, they can be represented in the BOM and be set to excluded to indicate that the component is not delivered in the final goods assembled. Components that are excluded are intended to represent build-time tools, unit test frameworks, etc.

PR's are welcome.

stevespringett avatar Jun 16 '20 14:06 stevespringett

This issue seems similar to https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/166

fmarot avatar May 18 '22 09:05 fmarot