You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just as a note for later:
In general, I think the "correct" way to create an SBOM would be to create it during the build, not afterwards (as we do right now with Syft). Some problems might arise when doing this though. For example, Hbase pulls in jackson-databind:2.4.0 via htrace-core4 which seems to be an uber JAR containing jackson-databind:2.4.0 as shaded dependency. I can't find information about the jackson-databind:2.4.0 dependency with Maven (via dependency:tree or cyclonedx-maven-plugin), while tools that analyze the built artifact (like Syft or ScanCode) are able to detect it. So the "reverse analyzed SBOM" might still be the most pragmatic solution. Or we find a way to obtain that information before/during the build.
This particular bit of information just gets lost and never recorded anywhere during building and publishing to Nexus.
I'm afraid the best option (as stupid as it sounds) is to do the scan afterwards. It at least recovers some information and I believe we have to live with the fact that perfect SBOMs for the Java ecosystem will be impossible/hard to do for the forseeable future.
Tasks
The text was updated successfully, but these errors were encountered: