Skip to content

SBOM: fix issue with unresolved artifacts and empty "components" #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dnestoro merged 2 commits into from
Feb 14, 2025
Merged

SBOM: fix issue with unresolved artifacts and empty "components" #688

dnestoro merged 2 commits into from
Feb 14, 2025

Conversation

@rudsberg
Copy link
Contributor

@rudsberg rudsberg commented Jan 31, 2025
edited
Loading

This PR fixes two issues:

  • If an artifact cannot be resolved via the RepositorySystem it can throw an ArtifactResolutionException, causing the SBOM generation to fail. This can happen for an artifact that cannot be located locally or on maven central. An example of such an artifact: com.example:demo:jar:sources:0.0.1-SNAPSHOT. The fix is catch the ArtifactResolutionException and return Optional.empty() from resolvePackageNamesFromArtifact. Such components will not be pruned by Native Image and will be included under components.
  • The SBOM for a simple app with no dependencies will only contain the application component and it will be listed under metadata/component and the components list will be empty. Previously we incorrectly threw an exception for such cases. The fix is to simply return from the augmentSBOM method instead of throwing the exception.

I also added a fallback mechanism: if the SBOMGenerator for some reason fails for users that didn't explicitly opt-in to using an augmentedSBOM, we absorb the failure and proceed with a non-augmented SBOM.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jan 31, 2025
@rudsberg rudsberg marked this pull request as draft January 31, 2025 12:34
@rudsberg rudsberg force-pushed the bug/sbom-unresolved-artifact branch 3 times, most recently from 73b8a47 to 1071aad Compare January 31, 2025 13:27
@rudsberg rudsberg requested review from dnestoro and melix January 31, 2025 13:30
@rudsberg rudsberg marked this pull request as ready for review February 6, 2025 16:09
@rudsberg rudsberg force-pushed the bug/sbom-unresolved-artifact branch from 1071aad to 5532735 Compare February 10, 2025 11:16
@dnestoro
Copy link
Contributor

dnestoro commented Feb 13, 2025
edited
Loading

@rudsberg please wait for @melix approval as well before merging

melix
melix approved these changes Feb 13, 2025
View reviewed changes
Copy link
Collaborator

@melix melix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dnestoro can we merge again? If so we should think of a better way to handle releases, because I also have pending PRs for weeks, and having to come back and rebase everything is not fun.

@dnestoro dnestoro merged commit cf723b8 into master Feb 14, 2025
135 checks passed
@dnestoro dnestoro deleted the bug/sbom-unresolved-artifact branch February 14, 2025 14:58
@renovate renovate bot mentioned this pull request Jul 23, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@melix melix melix approved these changes

+1 more reviewer

@dnestoro dnestoro dnestoro approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rudsberg @dnestoro @melix