Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Maven package not identified in dependencies #1576

Open
ghsa-retrieval opened this issue Feb 10, 2025 · 3 comments
Open

Maven package not identified in dependencies #1576

ghsa-retrieval opened this issue Feb 10, 2025 · 3 comments
Labels
bug Something isn't working

Comments

@ghsa-retrieval
Copy link

ghsa-retrieval commented Feb 10, 2025
edited
Loading

Describe the bug
When running a load_sbom errors are reported for Maven dependencies during the create_dependencies operation. 110 package are affected. Example:
Could not find resolved_to package entry: pkg:maven/org.apache.logging.log4j/log4j-core@2.24.1?type=jar

System configuration

  • Which version of ScanCode.io are you running?
  • Are you running the app using Docker?
    • No, Helm chart for Kubernetes
  • On which OS?
    • Linux
  • What inputs are you using?
    • SBOM generated with cdxgen (see excerpt below)
  • Which pipeline are you running?
    • load_sbom

Relevant part from SBOM:

    {
      "type": "framework",
      "bom-ref": "pkg:maven/org.apache.logging.log4j/log4j-core@2.24.1?type=jar",
      "group": "org.apache.logging.log4j",
      "name": "log4j-core",
      "version": "2.24.1",
      "description": "A versatile, industrial-grade, and reference implementation of the Log4j API.\n    It bundles a rich set of components to assist various use cases:\n    Appenders targeting files, network sockets, databases, SMTP servers;\n    Layouts that can render CSV, HTML, JSON, Syslog, etc. formatted outputs;\n    Filters that can be configured using log event rates, regular expressions, scripts, time, etc.\n    It contains several extension points to introduce custom components, if needed.",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0",
            "url": "https://opensource.org/licenses/Apache-2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.24.1?type=jar",
      "properties": [
        {
          "name": "GradleProfileName",
          "value": "compileClasspath"
        }
      ]
    },

To Reproduce

  1. Create a product in DejaCode
  2. Use Action > Load Packages from SBOMs

mwe-scancode-io-1576-v6.json

Note: This file has been crafted by hand based on the original file which I cannot share. It should result in the aformentioned error for the package log4j-api@2.24.1.

Expected behavior
ScanCode.io should be able to resolve package

Screenshots
n.a.
@ghsa-retrieval ghsa-retrieval added the bug Something isn't working label Feb 10, 2025
@ghsa-retrieval ghsa-retrieval mentioned this issue Feb 10, 2025
Open
@mjherzog
Copy link
Member

@ghsa-retrieval Assuming that this is a CycloneDX format SBOM, what is the spec version?

@ghsa-retrieval
Copy link
Author

@mjherzog Correct it is CycloneDX 1.6.

@ghsa-retrieval
Copy link
Author

@mjherzog MWE has been identified and is now attached.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mjherzog @ghsa-retrieval