rewrite-maven-plugin
rewrite-maven-plugin copied to clipboard
openrewrite
Wrong version of `io.netty:netty-handler` is reported in the SBOM of `Selenese Runner Java`
What version of OpenRewrite are you using?
I am using
- Maven/Gradle plugin v4.45.0
How are you running OpenRewrite?
I am running the maven plugin on https://github.com/vmi/selenese-runner-java/tree/3e84e8e4e7e06aa1bdacaa8266db00f62ebef559.
mvn org.openrewrite.maven:rewrite-maven-plugin:4.45.0:cyclonedx --fail-at-end
What is the smallest, simplest way to reproduce the problem?
git clone [email protected]:vmi/selenese-runner-java.git
git checkout 3e84e8e4e7e06aa1bdacaa8266db00f62ebef559
mvn org.openrewrite.maven:rewrite-maven-plugin:4.45.0:cyclonedx --fail-at-end
# convert to json cyclonedx file (if needed)
# I needed JSON format so I used https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
What did you expect to see?
The version of io.netty:netty-handler should be 4.1.79.Final according to maven dependency plugin. See our report generated from maven-dependency-plugin here.
What did you see instead?
4.1.78.Final was reported.
What is the full stack trace of any errors you encountered?
See the SBOM file produced.
https://github.com/chains-project/SBOM-2023/blob/major-revision/sbom-production/results/selenese-runner-java/openrewrite/sbom.json
Are you interested in contributing a fix to OpenRewrite?
I could give it a try if the contributors can help me debug it.
Thanks for reporting this issue! Sounds like a big problem if we are not reporting the right version!
Maybe a good way to start working on this would be to try to replicate this in a test like those ones: https://github.com/openrewrite/rewrite-maven-plugin/blob/main/src/test/java/org/openrewrite/maven/RewriteCycloneDxIT.java
If you open a Draft Pull Request we can have a look at it together.
This goal has been replaced by a dedicated recipe with a different implementation: https://docs.openrewrite.org/recipes/java/dependencies/softwarebillofmaterials
