Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM: fix issue with unresolved artifacts and empty "components" #688

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

SBOM: fix issue with unresolved artifacts and empty "components" #688

wants to merge 2 commits into from

Conversation

rudsberg
Copy link
Contributor

@rudsberg rudsberg commented Jan 31, 2025
edited
Loading

This PR fixes two issues:

  • If an artifact cannot be resolved via the RepositorySystem it can throw an ArtifactResolutionException, causing the SBOM generation to fail. This can happen for an artifact that cannot be located locally or on maven central. An example of such an artifact: com.example:demo:jar:sources:0.0.1-SNAPSHOT. The fix is catch the ArtifactResolutionException and return Optional.empty() from resolvePackageNamesFromArtifact. Such components will not be pruned by Native Image and will be included under components.
  • The SBOM for a simple app with no dependencies will only contain the application component and it will be listed under metadata/component and the components list will be empty. Previously we incorrectly threw an exception for such cases. The fix is to simply return from the augmentSBOM method instead of throwing the exception.

I also added a fallback mechanism: if the SBOMGenerator for some reason fails for users that didn't explicitly opt-in to using an augmentedSBOM, we absorb the failure and proceed with a non-augmented SBOM.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jan 31, 2025
@rudsberg rudsberg marked this pull request as draft January 31, 2025 12:34
@rudsberg rudsberg force-pushed the bug/sbom-unresolved-artifact branch 2 times, most recently from 2cd555a to 73b8a47 Compare January 31, 2025 13:15
@rudsberg rudsberg force-pushed the bug/sbom-unresolved-artifact branch from 73b8a47 to 1071aad Compare January 31, 2025 13:27
@rudsberg
Copy link
Contributor Author

The CI failures are unrelated to this diff and will be resolved in this PR.

@rudsberg rudsberg requested review from melix and dnestoro January 31, 2025 13:30
@rudsberg rudsberg marked this pull request as ready for review February 6, 2025 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@melix melix Awaiting requested review from melix

@dnestoro dnestoro Awaiting requested review from dnestoro

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rudsberg