Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question - Help! Ignore transitive dependencies in SBOM #568

Open
kirankumar-grootan opened this issue Oct 14, 2024 · 5 comments
Open

Question - Help! Ignore transitive dependencies in SBOM #568

kirankumar-grootan opened this issue Oct 14, 2024 · 5 comments
Labels
wontfix

Comments

@kirankumar-grootan
Copy link

kirankumar-grootan commented Oct 14, 2024
edited
Loading

Is there any way to ignore transitive dependencies in the SBOM scan and include direct dependencies only?

In spdx there is a way to ignore the transitive dependencies in plugin configuration. is there anything relevant in cycloneDX?
@hboutemy
Copy link
Contributor

full list of parameters: https://cyclonedx.github.io/cyclonedx-maven-plugin/makeBom-mojo.html#optional-parameters

no, no parameter for that: why do you want to do that? SBOM is about managing dependencies to make sure people stop ignoring them, particularly the non-obvious ones like transitives?

what is your use case for that?

@kirankumar-grootan
Copy link
Author

@hboutemy Thanks for checking on this. The use case involves scanning the SBOM file with a vulnerability scanner, which is also flagging CVEs for transitive dependencies. While the direct dependency vulnerabilities are under 25, the CVEs from transitive dependencies are 4 to 5 times higher when scanning projects like keycloak etc.

I understand that the SBOM's goal is to capture all dependencies, but in our case, we cannot account for transitive dependencies. Modifying them could disrupt the build and compromise the stability of the project.

so I feel like having an option to disable transitive dependency scanning will be a good feature.

@hboutemy
Copy link
Contributor

the description you give is exactly why adding an option would be counter productive: it's not a surprise that vulnerability issues come from transitives, SBOM have been done exactly for that transparency.

@ppkarwasz
Copy link
Contributor

Is your project an application or a library?

If it is an application, the transitive dependencies will end up being bundled, so you can not ignore those CVEs. You can upgrade their versions using dependency management.

If it is a library, the above technique is actually harmful for the consumers of the library:

  • the SBOM will not mention those vulnerable transitive dependencies.
  • the consumers of the library will not benefit from those pinned dependencies, since dependency management is not inherited from dependencies.

The only solution that would guarantee that consumers of the library will not end up with vulnerable transitive deps is to advance those dependencies to direct dependencies, which has a lot of other disadvantages.

@hboutemy, any idea how to solve this? I was planning to submit a patch that will not use Maven to compute the versions of transitive dependencies, but would merge the SBOM published by the dependency (if available). What do you think?

@kirankumar-grootan
Copy link
Author

@ppkarwasz projectType is library

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hboutemy @ppkarwasz @kirankumar-grootan