The Maven dependencies graph is different from other package managers #827
Comments
|
Hey @kennylam91, thanks for reporting this! Would you mind sharing your pom.xml? I'm trying to replicate the problem with Component Detection (which is the package we use for detecting components) but it doesn't seem to have the same problem 🤔 I'm running with this project: https://github.com/quarkusio/quarkus-quickstarts/tree/main/getting-started and the |
|
Hi @JoseRenan , thanks for looking into this issue. |
jalkire
added
accepted
|
So the additional package getting-started here might represent the maven module. The project quarkus-simple can contain multiple modules. |
|
Yes, sorry the delay with this, but you're right! We get this graph from component-detection and checking here, they consider the pom file itself as a package that the project depends on, trying on a project with multiple modules, it behaves as you mention, we get a root project e multiple pom modules as direct dependencies to this root, and each one having its own direct dependencies. Also tried with Nuget packages for .NET and it seems to work similarly as with maven. Also, was able to replicate the same behavior with npm 🤔 but I couldn't replicate it with a pip project though, and my theory is that's because the way pip and pip detection works, considering the requirements.txt file, which only defines the dependencies and not the package itself like the other examples (Maven, Nuget, NPM) |
|
Just to better explain the findings: When we run CD, we get a dependency graph like this: "dependencyGraphs": {
"C:\\teste\\piptest\\requirements.txt": {
"graph": {
"click 8.1.8 - pip": [
"colorama 0.4.6 - pip"
],
"flask 3.1.0 - pip": [
"blinker 1.9.0 - pip",
"click 8.1.8 - pip",
"itsdangerous 2.2.0 - pip",
"jinja2 3.1.5 - pip",
"werkzeug 3.1.3 - pip"
],
"blinker 1.9.0 - pip": null,
"jinja2 3.1.5 - pip": [
"markupsafe 3.0.2 - pip"
],
"werkzeug 3.1.3 - pip": [
"markupsafe 3.0.2 - pip"
],
"colorama 0.4.6 - pip": null,
"markupsafe 3.0.2 - pip": null,
"flask-mysql 1.6.0 - pip": [
"flask 3.1.0 - pip",
"pymysql 1.1.1 - pip"
],
"pymysql 1.1.1 - pip": null,
"itsdangerous 2.2.0 - pip": null
},
"explicitlyReferencedComponentIds": [
"flask 3.1.0 - pip",
"flask-mysql 1.6.0 - pip"
],
"developmentDependencies": [],
"dependencies": []
}
}We get each of those dependency graphs and create a depends_on relationship from the SPDX_RootPackage to it. The thing is that for Maven (and others) projects, I found that the package described by the pom file itself is also included on this dependency graph as the root, I think that doesn't happen on python since the requirements.txt doesn't describe a package, only its dependencies, but I'm not sure if this is expected for CD and I'm investigating if #833 can be related to this 🤔 The same happens when you create a project with multiple modules, component detection will create for each one a dependency graph inside |
|
Hi @JoseRenan , thanks for your attempts and explainations. If this is the way how component detections work, then I think we can't do anything but adapt how we consume the sbom results. |
With the release of V3, I see that sbom-tool can generate correct relationships between packages.
But somehow the relationship graph of Maven is different from others.
For example here is a npm project graph:
But for maven, it always has another maven root package besides sbom root package.
This causes issues when we want to get all direct dependencies, for example.
Do you think we should do something about this?
The text was updated successfully, but these errors were encountered: