Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confusing warning "Dependency tree is partial lacking child nodes." #1385

Open
metametadata opened this issue Sep 21, 2024 · 4 comments · Fixed by #1386
Open

Confusing warning "Dependency tree is partial lacking child nodes." #1385

metametadata opened this issue Sep 21, 2024 · 4 comments · Fixed by #1386

Comments

@metametadata
Copy link
Contributor

metametadata commented Sep 21, 2024
edited
Loading

Steps

  1. pom.xml:

    <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0    http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>foo</groupId>
  <artifactId>bar</artifactId>
  <packaging>jar</packaging>
  <version>1.0.0</version>
  <name>foo</name>
  <dependencies>
    <dependency>
      <groupId>com.mysql</groupId>
      <artifactId>mysql-connector-j</artifactId>
      <version>9.0.0</version>
      <exclusions>
        <exclusion>
          <artifactId>protobuf-java</artifactId>
          <groupId>com.google.protobuf</groupId>
        </exclusion>
      </exclusions>
    </dependency>
  </dependencies>
</project>

  2. Command:

    CDXGEN_DEBUG_MODE=debug PREFER_MAVEN_DEPS_TREE=true cdxgen --fail-on-error --no-include-formulation --no-recurse --output sbom.json --type java

Actual

Output:

Executing 'mvn dependency:tree -DoutputFile=/var/folders/6d/qgj8m4xj4p74tjmrztw8fqb80000gn/T/cdxmvn-VwOjMn/mvn-tree.txt' in /foo
===== WARNINGS =====
[ 'Dependency tree is partial lacking child nodes.' ]

Expected

No warnings.

Notes

  1. Assuming it's caused by the exclusion of protobuf, it's a valid situation when the transitive dependency is explicitly excluded by the developer. So the warning is unexpected.
  2. It's unclear what the log tries to protect against.
  3. The warning lacks information about what is lacking where exactly. So it's difficult to address.
  4. "partial" should be "partially".
  5. Version 10.9.11.
@prabhu
Copy link
Collaborator

prabhu commented Sep 22, 2024

@metametadata The particular message has gotten changed.

cdxgen/lib/helpers/validator.js

Line 226 in 8d33fd3

"Dependency tree is partial with multiple empty dependsOn attribute.",

Let me know if there is a better way to phrase the fact that the dependency tree is partial. The logic to determine this is below:

cdxgen/lib/helpers/utils.js

Line 12395 in 8d33fd3

export function isPartialTree(dependencies, componentsCount = 1) {

@metametadata
Copy link
Contributor Author

metametadata commented Sep 22, 2024
edited
Loading

Thank you for the reply.

Dependency tree is partial with multiple empty dependsOn attribute

The produced SBOM contains the next code:

{
  "ref": "pkg:maven/com.mysql/[email protected]?type=jar",
  "dependsOn": []
}

I suppose the empty dependsOn is considered a problem? Why? I'm afraid I don't understand why there should be any warning at all and thus I cannot propose a better phrasing except remarking that:

  1. It's still unclear from the log why "partial" tree is a problem worth warning about.
  2. There are no multiple dependsOn in my case.
  3. "Attribute" should be "attributes".

In my understanding, excluding protobuf from mysql-connector-j is a valid scenario, there should be no warnings about it.

The logic to determine this is below

The formula Math.max(Math.round(componentsCount / 3), 1) is cryptic, e.g. it's unclear why there's a division by 3.

Let's put Maven exclusions aside and consider the next pom.xmls:

  1. Project without any dependencies:

    <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>foo</groupId>
  <artifactId>bar</artifactId>
  <packaging>jar</packaging>
  <version>1.0.0</version>
  <name>foo</name>
  <dependencies>
  </dependencies>
</project>

    It produces the warning too, but it's unexpected as it's a valid project.

  2. Project with a single dependency:

    <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>foo</groupId>
  <artifactId>bar</artifactId>
  <packaging>jar</packaging>
  <version>1.0.0</version>
  <name>foo</name>
  <dependencies>
    <dependency>
      <groupId>com.google.protobuf</groupId>
      <artifactId>protobuf-java</artifactId>
      <version>4.28.2</version>
    </dependency>
  </dependencies>
</project>

    This for sure valid case unexpectedly also produces a warning.

@prabhu prabhu mentioned this issue Sep 22, 2024
Merged
@prabhu
Copy link
Collaborator

prabhu commented Sep 22, 2024

Will improve this. There must be some heuristics to evaluate if the given dependency tree is complete.

@metametadata
Copy link
Contributor Author

metametadata commented Oct 24, 2024
edited
Loading

Still reproducible (i.e. there's a warning printed unexpectedly) in v10.10.7 for the next valid POMs:

  1. Project with a single software.amazon.awssdk/ec2 dep:

     <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>foo</groupId>
   <artifactId>bar</artifactId>
   <packaging>jar</packaging>
   <version>1.0.0</version>
   <name>foo</name>
   <dependencies>
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>ec2</artifactId>
       <version>2.27.1</version>
     </dependency>
   </dependencies>
 </project>

    Similarly reproducible for single deps software.amazon.awssdk/ec2instanceconnect and software.amazon.awssdk/ecs.

  2. Project with a single leiningen dep:

    <?xml version="1.0" encoding="UTF-8"?>
   <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>foo</groupId>
     <artifactId>bar</artifactId>
     <packaging>jar</packaging>
     <version>1.0.0</version>
     <name>foo</name>
     <repositories>
       <repository>
         <id>clojars</id>
         <url>https://repo.clojars.org/</url>
         <snapshots>
           <enabled>true</enabled>
         </snapshots>
         <releases>
           <enabled>true</enabled>
         </releases>
       </repository>
     </repositories>
     <dependencies>
       <dependency>
         <groupId>leiningen</groupId>
         <artifactId>leiningen</artifactId>
         <version>2.11.2</version>
       </dependency>
     </dependencies>
   </project>

@prabhu prabhu reopened this Oct 25, 2024
@prabhu prabhu moved this to Seeking sponsors in cdxgen top issues Oct 26, 2024
@prabhu prabhu moved this from Seeking sponsors to Open to New contributors in cdxgen top issues Oct 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
cdxgen top issues
Status: Open to New contributors
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Poetry root list from pyproject.toml CycloneDX/cdxgen
2 participants
@prabhu @metametadata