Improve SBOMs

[lfrancke]

Tasks

Beta Give feedback

1. Add Pedigree information to our patched products
2. Verify that product SBOMs are correct in that they e.g. list hadoop as the product and not hadoop-common or similar

[dervoeti]

Just as a note for later:
In general, I think the "correct" way to create an SBOM would be to create it during the build, not afterwards (as we do right now with Syft). Some problems might arise when doing this though. For example, Hbase pulls in jackson-databind:2.4.0 via htrace-core4 which seems to be an uber JAR containing jackson-databind:2.4.0 as shaded dependency. I can't find information about the jackson-databind:2.4.0 dependency with Maven (via dependency:tree or cyclonedx-maven-plugin), while tools that analyze the built artifact (like Syft or ScanCode) are able to detect it. So the "reverse analyzed SBOM" might still be the most pragmatic solution. Or we find a way to obtain that information before/during the build.

[lfrancke]

This particular bit of information just gets lost and never recorded anywhere during building and publishing to Nexus.
I'm afraid the best option (as stupid as it sounds) is to do the scan afterwards. It at least recovers some information and I believe we have to live with the fact that perfect SBOMs for the Java ecosystem will be impossible/hard to do for the forseeable future.

• Import transitive dependencies from SBOMs if available CycloneDX/cyclonedx-maven-plugin#497
• https://lists.apache.org/thread/o4j9xoyqnsdjzmh4mm46skqh4hm6tb64