You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have some Java Maven Applications and the file structure was like:
root
--submodule1
--src
--pom.xml (pom1, package type is jar jar)
--submodule2
--src
--pom.xml (pom2, package type is jar jar)
--submodule3
--src
--pom.xml (pom3, package type is jar jar)
--pom.xml (root-pom, , package type is pom pom)
What we want is generating a SBOM which not only include all dependencies in pom1, pom2, pom3 and root pom, but also take each pom file as a separate block inside so that we can use it to get the dependency tree in the next step. for example in bom.json:
I tried to use cdxgen to do this by 'cdxgen -r -t maven -o bom.json' or 'cdxgen -r -t java -o bom.json'. What we found is the bom.json generated by cdxgen do have the entire dependencies from all pom files (pom1, pom2, pom3 and root pom), but the dependencies from the root-pom were scattered and not grouped together. Only dependencies from subModule (pom1, pom2, pom3) were grouped.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
We have some Java Maven Applications and the file structure was like:
root
--submodule1
--src
--pom.xml (pom1, package type is jar jar)
--submodule2
--src
--pom.xml (pom2, package type is jar jar)
--submodule3
--src
--pom.xml (pom3, package type is jar jar)
--pom.xml (root-pom, , package type is pom pom)
What we want is generating a SBOM which not only include all dependencies in pom1, pom2, pom3 and root pom, but also take each pom file as a separate block inside so that we can use it to get the dependency tree in the next step. for example in bom.json:
[
{
"ref": "pkg:from pom 1",
"dependsOn": [
"pkg:maven/xxxx",
"pkg:maven/xxxxxx",
]
},
{
"ref": "pkg:from pom 2",
"dependsOn": [
"pkg:maven/xxxx",
"pkg:maven/xxxxxx",
]
},
{
"ref": "pkg:from pom 3",
"dependsOn": [
"pkg:maven/xxxx",
"pkg:maven/xxxxxx",
]
},
{
"ref": "pkg:from root pom",
"dependsOn": [
"pkg:maven/xxxx",
"pkg:maven/xxxxxx",
]
},
]
I tried to use cdxgen to do this by 'cdxgen -r -t maven -o bom.json' or 'cdxgen -r -t java -o bom.json'. What we found is the bom.json generated by cdxgen do have the entire dependencies from all pom files (pom1, pom2, pom3 and root pom), but the dependencies from the root-pom were scattered and not grouped together. Only dependencies from subModule (pom1, pom2, pom3) were grouped.
[
{
"ref": "pkg:from pom 1",
"dependsOn": [
"pkg:maven/xxxx",
"pkg:maven/xxxxxx",
]
},
{
"ref": "pkg:from pom 2",
"dependsOn": [
"pkg:maven/xxxx",
"pkg:maven/xxxxxx",
]
},
{
"ref": "pkg:from pom 3",
"dependsOn": [
"pkg:maven/xxxx",
"pkg:maven/xxxxxx",
]
},
// dependencies from root pom but not been grouped
{
"ref": "pkg: others",
"dependsOn": [
"pkg:maven/xxxx",
]
},
]
Looks like the dependencies from root pom can't be grouped due to its package type 'pom' .Could someone help with this? many thanks.
Beta Was this translation helpful? Give feedback.
All reactions