Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jenkins-core with minimal version is included in bom.json when running makeAggregateBom for a Jenkins plugin #588

Open
Bruceliu-rs opened this issue Dec 17, 2024 · 2 comments
Open

Jenkins-core with minimal version is included in bom.json when running makeAggregateBom for a Jenkins plugin #588

Bruceliu-rs opened this issue Dec 17, 2024 · 2 comments

Comments

@Bruceliu-rs
Copy link

Bruceliu-rs commented Dec 17, 2024
edited
Loading

I am trying creating bom.json for many Jenkins plugins, but I found the generated bom.json includes jenkins-core dependency with the minimal version declared in the plugin's pom.xml, here is a sample for artifactory plugin https://github.com/jenkinsci/artifactory-plugin.
My Jenkins version(2.479.2) is much higher than the minimal version(2.263.1). After the bom.json is uploaded into DT, its risk score is very high because of this very old 2.263.1 dependency, which is a false alarm, because my Jenkins has upgraded to 2.479.2. Any way to exclude this dependency, I tried -DexcludeArtifactId, but the Jenkins-core artifactid didn't exist in the pom.xml.

Here is the version defined in pom.xml.
...


<jenkins.version>2.263.1</jenkins.version>
<java.level>8</java.level>
...

Here is the dependency generated in bom.json
......
"type" : "library",
"bom-ref" : "pkg:maven/org.jenkins-ci.main/[email protected]?type=jar",
"group" : "org.jenkins-ci.main",
"name" : "jenkins-core",
"version" : "2.263.1",
"description" : "Jenkins core code and view files to render HTML.",
......

I manually add this plugin into the artifactory plugin's pom.xml.
......

    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.9.1</version>
        <executions>
            <execution>
                <phase>package</phase>
                <goals>
                    <goal>makeAggregateBom</goal>
                </goals>
            </execution>
        </executions>
    </plugin>

......
Did I do anything wrong?

Thanks. Any comments are welcome.
@Bruceliu-rs
Copy link
Author

May I have some update please? Thanks.

@hboutemy
Copy link
Contributor

hboutemy commented Jan 7, 2025

I am trying creating bom.json for many Jenkins plugins, but I found the generated bom.json includes jenkins-core dependency with the minimal version declared in the plugin's pom.xml,

My Jenkins version(2.479.2) is much higher than the minimal version(2.263.1)

cyclonedx-maven-plugin works at build time, then reports on build dependencies: no surprise it knows only about build-time versions, and not each and every runtime from every user.

After the bom.json is uploaded into DT, its risk score is very high because of this very old 2.263.1 dependency, which is a false alarm, because my Jenkins has upgraded to 2.479.2

I see the consequence, yes.

it seems you're not interested into build time, but runtime (like OBOM): that's not the purpose of cyclonedx-maven-plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hboutemy @Bruceliu-rs