Replies: 3 comments 9 replies
-
I think it all depends on how you define "sbom" and how you shape your dependencies. As you noticed in the referenced issue, Tycho is "just" a maven tool and you can of course use the Cyclone plugin, but if your project uses P2 dependencies not from maven central (or other maven repository) you obviously won't get "original maven dependencies" (what ever that means).
This is always possible but you should describe exactly what is the expected outcome (e.g. it is not always possible to map P2 > maven as implied in the referenced issue) in terms of output format and alike. Also be aware that there might be not enough interest to implement this right now (as it seems not very important for Tycho users right now), so the best would be to start some work and research to create a PR or if this is crucial to your business and you like to speed up the development in that area a sponsoring would allow me to assign more time-slots particular issue, or you can take a look at the
I'm not aware of any sbom for Tycho (yet). |
Beta Was this translation helpful? Give feedback.
-
Can't such sbom be generated directly from the RCP application content directly? As @laeubi mentions, there should be most metadata already available in the plugins or the OSGi runtime, so why involving Tycho? |
Beta Was this translation helpful? Give feedback.
-
I'm adding to the existing thread, but this could be a separate question: How are people using the new tycho-sbom mojo? I tried it on a company project, and while it surely works fine, I cannot really use the result in the further process. No other CVE aggregation tooling knows the p2 URIs, therefore a CVE raised against the maven jar of apache.commons.io will not be flagged for the same p2 bundle listed in the tycho-sbom output. |
Beta Was this translation helpful? Give feedback.
-
My workplace is trying to sort out licenses/vulnerabilities in all the third party libraries we use. In order to do this, I'm trying to build an sbom for our application. Our application is an eclipse RCP application which we build using maven with tycho. I have yet to find a single sbom generator tool that knows how to resolve OSGI/P2 dependencies. I noticed someone put in a request for the CycloneDX maven plugin to add support for tycho projects. However they are of the opinion that it should be the tycho project that handles this since its build mechanism is very different from a regular maven project. Is there an existing solution that people are using for this? Would it be worth creating a feature request and trying to get tycho to generate sboms?
Also while we're on the subject, is there an sbom for tycho itself? Might be good practice for me to try making one 😃
Beta Was this translation helpful? Give feedback.
All reactions