Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

old maven dependencies that have moved to a new group are reported incorrectly. #425

Open
tspascoal opened this issue Oct 19, 2023 · 0 comments
Open

old maven dependencies that have moved to a new group are reported incorrectly. #425

tspascoal opened this issue Oct 19, 2023 · 0 comments

Comments

@tspascoal
Copy link

When a maven package is moved to a different group, the new group is reported instead of the use one (even though the old still still exists)

See this repro repository that is using the sbom action to report the dependencies.

The dependency being used is mysql:mysql-connector-java:5.1.36

However this package has been moved to another place which only has versions > 8.0.31

If we run ./gradlew app:dependencies

I can see the dependency is correctly indentified

implementation - Implementation only dependencies for null/main. (n)
+--- com.google.guava:guava:32.1.1-jre (n)
+--- com.webauthn4j:webauthn4j-spring-security-core:0.8.0.RELEASE (n)
\--- mysql:mysql-connector-java:5.1.36 (n)

However it's submitted to GitHub dependency submission API as com.mysql.jdbc:mysql-connector-java (notice the new groupId com.mysql.jdbc)

Image

This seems consistent with the SBOM (snippet with some parts cut)

{
   "name": "mysql-connector-java",
   "SPDXID": "SPDXRef-Package-java-archive-mysql-connector-java-f8ab65f985cd53a0",
   "versionInfo": "5.1.36",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "6bb5861f44c21c775ee713a438e5bc493c095f7a"
    }
   ],
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql-connector-java:mysql-connector-java:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql-connector:jdbc:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:mysql_connector:jdbc:5.1.36:*:*:*:*:*:*:*"
    },

    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:jdbc:jdbc:5.1.36:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:maven/com.mysql.jdbc/mysql-connector-java@5.1.36"
    }

Notice that the SECURITY nodes reference mysql_connector however PACKAGE-MANAGER has the new groupId maven/com.mysql.jdbc/mysql-connector-java@5.1.36 (which version 5.1.3 is not even visible in Maven central)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tspascoal