Re: Question on shading and missing dependencies

2024-05-14 Thread Lars Francke
Hi Piotr, thanks for opening that issue. That's a great idea and would be useful to have going forward. And Martin, what you describe can be described using SBOMs as well, so it's a good fit. Cheers, Lars On Tue, May 14, 2024 at 1:15 AM Martin Desruisseaux wrote: > > Le 2024-05-13 à 22 h 52, P

Re: Question on shading and missing dependencies

2024-05-13 Thread Martin Desruisseaux
Le 2024-05-13 à 22 h 52, Piotr P. Karwasz a écrit : If the CycloneDX Maven plugin learns to use those SBOMs as metadata source instead of POM files, your problem should be solved. I'm not familiar with CycloneDX, but I think that if any SBOM is used with a shaded artifact, then the metadata s

Re: Question on shading and missing dependencies

2024-05-13 Thread Piotr P. Karwasz
Hi Lars, On Mon, 13 May 2024 at 17:46, Lars Francke wrote: > The problem is that SBOM tools have no realistic chance to gather that > information if all they have is a final artifact and the POMs that > were published as is the case here. An increasing number of Maven artifacts publish CycloneDX

Re: Question on shading and missing dependencies

2024-05-13 Thread Lars Francke
Hi François, thanks for the quick response! The problem is that SBOM tools have no realistic chance to gather that information if all they have is a final artifact and the POMs that were published as is the case here. And as you say: In an ideal world SBOMs would be published along the way but th

Re: Question on shading and missing dependencies

2024-05-13 Thread Francois Marot
Hello Lars, ignoring your second email, I felt like it is normal for the pom to ignore the shaded dependencies. This is how Maven works. For me, it should be the job of a SBOM (CycloneDX format or SPDX for exemple) to keep the information of what the shaded jar contains. This is the role of SBOMs.

Re: Question on shading and missing dependencies

2024-05-13 Thread Lars Francke
To add to my question I just found that the shade plugin has an option called "keepDependenciesWithProvidedScope"[1] which might have helped here. [1] On Mon, May 13, 2024 at 4:50 PM Lars Fra

Question on shading and missing dependencies

2024-05-13 Thread Lars Francke
Hi, we're hunting vulnerabilities in our dependency tree and I have a question that came up while doing so. We are using HBase (I'm a committer there as well) and HBase has (had) a dependency on the now retired HTrace: org.apache.htrace htrace-core4 HTrace in version 4.2.0