-
-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Track repository_url #495
base: master
Are you sure you want to change the base?
Track repository_url #495
Conversation
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Making this a draft to try another approach. Please feel free to use the PR for testing purposes. Update: Ready for review. |
… up confidence Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@hboutemy @stevespringett Would appreciate a review. |
IIUC, repository_url is an origin repository url for a dependency? from Maven experience on such feature for dependencies reports, if a repository manager is used, it's not possible to identify the origin repository of a dependency: that's why we removed the feature a few years ago I don't think this is feasible in a consistent way, that's a general Maven issue, shared by every plugin that tried to do that |
@hboutemy Thank you for the comments. If a repository manager is used and if we get the url to the manager instance that is still a useful information for enterprise customers. Currently, there is no visibility about either the repository manager or the origin. |
I just looked more at the example SBOM given, here is an example component with the new data that I see
I see 2 parts:
let's discuss the |
Thanks @hboutemy. The repository_url is added when maven resolves and pulls the jar from a remote repository and not from a local cache. There is an if condition to ensure this is the case.
When executing this PR branch with a custom repository proxy and maven repo directory using
|
@hboutemy any feedback based on my last comment? |
as you can see from your second example generated SBOM, the resulting repository_url is the url of a proxy = something unusable (I'm even surprised by the IP in http://0.0.0.0:8080/releases value) I understand the dream of this PR, but this is a dream: Maven cannot do that reliably Thinking about it, if you want to work on this aspect, see #245, I'd propose to focus on the distribution-intake external reference: from intake of a dependency, defining the distribution external reference of that dependency can make sense and please, when sharing example, please share first a simple example before sharing complex ones: simple is to define precisely the feature, while complex is useful to see at scale |
@hboutemy I disagree with the word unusable. It is showing all the packages that got downloaded from a private internal repository (happens to run on localhost). It gives the confidence that there was no local cache (could be malicious) that was used. From the administrative settings of the internal registry, we can find the upstream public repository that was used for caching and it is absolutely fine if the SBOM tool doesn't have this information. The second part of the PR sets identity evidence, which IMHO, is quite important for any SBOM tool. |
Supersedes #494 by also setting component evidence for 1.5 spec.
With this PR, purl for the components would include
repository_url
qualifier for repositories that is nothttps://repo.maven.apache.org/maven2
as per purl spec.Example BOM generated for the repo https://github.com/eclipse-jkube/jkube is attached.
bom.xml.txt
bom.json.txt
Things to clarify
package-url/purl-spec#303