bug(sbom): Duplicate SBOM packages for multi-module pom.xml files #7824
Description
Description
mvn handles modules separate.
Trivy uses same logic:
trivy/pkg/dependency/parser/java/pom/parse.go
Lines 142 to 143 in 57e24aa
But SPDX format doesn't allow duplicate SPDXIDs - https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field
Same for CycloneDX - https://cyclonedx.org/docs/1.6/json/#components
Solutions
- We will add
workspacerelationship for maven modules (see bug(java): dependOn contains extra dependencies forpom.xmlfiles with modules when using SBOM formats #7802). After these changes Trivy will userootPkg -> workspace -> directDeps -> IndirectDepslogic.
This logic is different frommvnlogic. So may want to remove duplicates in parser. - We will remove duplicates when converting Report into BOM
Example
Test project:
➜ cat pom.xml
<groupId>com.example</groupId>
<artifactId>root</artifactId>
<version>1.0.0</version>
<modules>
<module>module1</module>
<module>module2</module>
</modules>
➜ cat module1/pom.xml
<groupId>com.example</groupId>
<artifactId>module1</artifactId>
<version>1.0.0</version>
<dependencies>
<dependency>
<groupId>org.example</groupId>
<artifactId>example-api</artifactId>
<version>1.1.1</version>
</dependency>
</dependencies>
➜ cat module2/pom.xml
<groupId>com.example</groupId>
<artifactId>module2</artifactId>
<version>2.0.0</version>
<dependencies>
<dependency>
<groupId>org.example</groupId>
<artifactId>example-api</artifactId>
<version>1.1.1</version>
</dependency>
</dependencies>mvn output:
➜ mvn dependency:tree
[INFO] ------------------------< com.example:module1 >-------------------------
[INFO] Building module1 1.0.0 [1/3]
[INFO] from module1/pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[WARNING] The POM for org.example:example-api:jar:1.1.1 is missing, no dependency information available
[INFO]
[INFO] --- dependency:3.7.0:tree (default-cli) @ module1 ---
[INFO] com.example:module1:jar:1.0.0
[INFO] \- org.example:example-api:jar:1.1.1:compile
[INFO]
[INFO] ------------------------< com.example:module2 >-------------------------
[INFO] Building module2 2.0.0 [2/3]
[INFO] from module2/pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency:3.7.0:tree (default-cli) @ module2 ---
[INFO] com.example:module2:jar:2.0.0
[INFO] \- org.example:example-api:jar:1.1.1:compile
[INFO]
[INFO] --------------------------< com.example:root >--------------------------
[INFO] Building root 1.0.0 [3/3]
[INFO] from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- dependency:3.7.0:tree (default-cli) @ root ---
[INFO] com.example:root:pom:1.0.0
[INFO] ------------------------------------------------------------------------
trivy outputs:
➜ trivy -q fs ./pom.xml -f json --list-all-pkgs | grep ID
...
"ID": "org.example:example-api:1.1.1",
"UID": "e574f6e703187373"
"ID": "org.example:example-api:1.1.1",
"UID": "e574f6e703187373"
➜ trivy -q fs ./pom.xml -f spdx-json | grep SPDXID -B 1
...
"name": "org.example:example-api",
"SPDXID": "SPDXRef-Package-a9813b377fc4bc80",
--
"name": "org.example:example-api",
"SPDXID": "SPDXRef-Package-a9813b377fc4bc80",
...