jbom
jbom copied to clipboard
Generated SBOMs include some Nulls/Unknowns
Using jbom itself as an example, if you run: java -jar target/jbom-1.2.1.jar -f target/jbom-1.2.1.jar and then look at the generated SBOM, I see these null/unknown entries:
- [ ] "manufacture" : { "name" : "Unknown" }
- [ ] "bom-ref" : "null:byte-buddy-agent:agent/pom" -- And the "group" for this component is missing above as well.
- [ ] "bom-ref" : "null:maven-model:model/pom" -- And group missing.
- [ ] "bom-ref" : "null:plexus-utils:3.4.2" -- And group missing.
Under dependencies:
- [ ] "ref" : "com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.14.1", "dependsOn" : [ "com.fasterxml.jackson.core:jackson-core:null", "com.fasterxml.jackson.core:jackson-annotations:null", "com.fasterxml.jackson.core:jackson-databind:null", "com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations:null",
- [ ] "ref" : "null:byte-buddy-agent:agent/pom", (and maven-model and plexus-utils as well)
- [ ] "ref" : "net.java.dev.msv:xsdlib:INF/maven/net.java.dev.msv/xsdlib/pom", "dependsOn" : [ "relaxngDatatype:relaxngDatatype:null", "junit:junit:null", "jdom:jdom:null"
It looks like the null's are caused by 1 or 2 different issues that, when fixed, will hopefully fix a bunch of these per fix.