Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tool name in BOM is overloaded: use properties instead #336

Closed
msymons opened this issue Apr 12, 2023 · 1 comment · Fixed by #340
Closed

Tool name in BOM is overloaded: use properties instead #336

msymons opened this issue Apr 12, 2023 · 1 comment · Fixed by #340
Assignees
@hboutemy
Labels
bug
Milestone
2.7.7

Comments

@msymons
Copy link
Contributor

msymons commented Apr 12, 2023

Starting in plugin v2.7.5, the name element of the tool section of the BOM has been overloaded.

Was CycloneDX Maven plugin

Now we have:

     <tool>
        <vendor>OWASP Foundation</vendor>
        <name>CycloneDX Maven plugin makeAggregateBom compile+provided+runtime+system</name>
        <version>2.7.6</version>
        <hashes>
          <hash alg="MD5">639c35c7f79c5514f3abe11247999b70</hash>
          <hash alg="SHA-1">649239e622d8d454bb9ab6fafd6746c85cd11b7d</hash>
          <hash alg="SHA-256">1e3bc10146c370fe8b8f0a2edcb64329907d61dbc2f445db6ac1034cd3221ce3</hash>
          <hash alg="SHA-512">894a4b5762d32c88cc58ae1a35a3cc3d45a3c494accadb31b55b5832af65f60c0f8164623521a81de73e3ed6a4c994cca0f1951c8368b9d07fb41c82eaa84bbd</hash>
          <hash alg="SHA-384">3c385acc773a41056fb58ea27096c8ec86d46d8bd74a2eee9cf0913051981611afc68cf13a88d31af16590a489a97c0e</hash>
          <hash alg="SHA3-384">93695160055039f4791ecebd61c7aa6130f074f50a823de6e5aff7217c35548062829ec2b930658c2702cd47ea3118a1</hash>
          <hash alg="SHA3-256">4c9f5d3ab2b6ab9b4b4a8968a7ee2373b85a496bec34eefd96ed7c8260d2a45b</hash>
          <hash alg="SHA3-512">c2af46fe07c4be746fdc0b54e9eb3285231055c5401bcfb34c2d9392efe27fe9c16a0edd91615970bfae3f4a59846e89c3d88a6a36d4ba110a6d140a04fe184d</hash>
        </hashes>
      </tool>

This will cause problems should an ingesting system (such as Dependency-Track) want to track what tools are used to generate each BOM... the element contains too much information.

Use CycloneDX properties to document makeAggregateBom compile+provided+runtime+system

And if we need to register a taxonomy for cdx:java, then we can do that via raising a PR in cyclonedx-property-taxonomy
@hboutemy
Copy link
Contributor

hboutemy commented Apr 13, 2023
edited
Loading

oh, good point, I thought #283 was a good idea :)
good idea, but bad implementation: I'll replace with metadata properties, I did not see that part of the spec that better fits

looking at existing cdx taxonomies https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx.md,
I think I'll start simple without taxonomy, then we'll discuss (maven?) taxonomy in a future enhancement: we will create a separate issue

@hboutemy hboutemy self-assigned this Apr 13, 2023
@hboutemy hboutemy added the bug label Apr 13, 2023
@hboutemy hboutemy added this to the 2.7.7 milestone Apr 13, 2023
@hboutemy hboutemy changed the title Tool Name in BOM is Overloaded Tool name in BOM is overloaded: use properties instead Apr 16, 2023
@hboutemy hboutemy mentioned this issue Apr 16, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hboutemy hboutemy

Labels
bug
Projects
None yet
Milestone
2.7.7
Development

Successfully merging a pull request may close this issue.

use metadata properties instead of tool name CycloneDX/cyclonedx-maven-plugin
2 participants
@hboutemy @msymons