Re: Behavior change in go-offline between 3.9.2 and 3.9.3

2024-05-13 Thread Voytek Jarnot
I should probably have mentioned a fourth oddity: dependency:tree *does* work with 3.9.3 and above, and does *not* show any commonj.sdo dependency. On Mon, May 13, 2024 at 6:47 PM Voytek Jarnot wrote: > For background: I'm using dependency:go-offline to build docker base > images which have at l

Behavior change in go-offline between 3.9.2 and 3.9.3

2024-05-13 Thread Voytek Jarnot
For background: I'm using dependency:go-offline to build docker base images which have at least some of /root/.m2 pre-populated before they're used for downstream multistage docker builds. I found this issue when upgrading from 3.8.8 to 3.9.6, then further narrowed it down to being caused by a cha

Re: Question on shading and missing dependencies

2024-05-13 Thread Martin Desruisseaux
Le 2024-05-13 à 22 h 52, Piotr P. Karwasz a écrit : If the CycloneDX Maven plugin learns to use those SBOMs as metadata source instead of POM files, your problem should be solved. I'm not familiar with CycloneDX, but I think that if any SBOM is used with a shaded artifact, then the metadata s

Re: Question on shading and missing dependencies

2024-05-13 Thread Piotr P. Karwasz
Hi Lars, On Mon, 13 May 2024 at 17:46, Lars Francke wrote: > The problem is that SBOM tools have no realistic chance to gather that > information if all they have is a final artifact and the POMs that > were published as is the case here. An increasing number of Maven artifacts publish CycloneDX

Re: Question on shading and missing dependencies

2024-05-13 Thread Lars Francke
Hi François, thanks for the quick response! The problem is that SBOM tools have no realistic chance to gather that information if all they have is a final artifact and the POMs that were published as is the case here. And as you say: In an ideal world SBOMs would be published along the way but th

Re: Question on shading and missing dependencies

2024-05-13 Thread Francois Marot
Hello Lars, ignoring your second email, I felt like it is normal for the pom to ignore the shaded dependencies. This is how Maven works. For me, it should be the job of a SBOM (CycloneDX format or SPDX for exemple) to keep the information of what the shaded jar contains. This is the role of SBOMs.

Re: Question on shading and missing dependencies

2024-05-13 Thread Lars Francke
To add to my question I just found that the shade plugin has an option called "keepDependenciesWithProvidedScope"[1] which might have helped here. [1] On Mon, May 13, 2024 at 4:50 PM Lars Fra

Question on shading and missing dependencies

2024-05-13 Thread Lars Francke
Hi, we're hunting vulnerabilities in our dependency tree and I have a question that came up while doing so. We are using HBase (I'm a committer there as well) and HBase has (had) a dependency on the now retired HTrace: org.apache.htrace htrace-core4 HTrace in version 4.2.0