Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBoM of Docker image contains test dependencies #36287

Closed
nils-christian opened this issue Jul 10, 2023 · 2 comments
Closed

SBoM of Docker image contains test dependencies #36287

nils-christian opened this issue Jul 10, 2023 · 2 comments
Assignees
@wilkinsona
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid

Comments

@nils-christian
Copy link

Hi,

To reproduce this issue, simply create a Spring Boot demo application via Spring Initializr (e.g. Spring 2.7.13, Java 17, Maven). Note that the demo project has spring-boot-starter as compile scoped dependency and spring-boot-starter-test as test scoped dependency.

Now create a Docker image with mvn spring-boot:build-image. The resulting image contains SBoM files which list the test dependencies (in this case: spring-boot-starter-test), This is an issue as vulnerability scanners use these meta files to check the image for security violations. In our case this leads to various false positives that have to be checked manually.

The SBoM should not contain test dependencies in general.

Thank you and best regards

Nils
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 10, 2023
@wilkinsona wilkinsona self-assigned this Jul 10, 2023
@wilkinsona
Copy link
Member

Thanks for the report. The problem is caused by analysis of the META-INF/maven/<<groupId>>/<<artifactId>>/pom.xml file that's included in the jar from which the image is built. Gradle does not generate such a file in the jars that it builds so the problem is specific to Maven. The analysis is performed by the executable-jar buildpack. Its behavior is out of Spring Boot's control so please report the problem to the buildpack's maintainers.

You can work around the problem by configuring Maven not to include the pom file in the jar:

<plugin>
	<groupId>org.apache.maven.plugins</groupId>
	<artifactId>maven-jar-plugin</artifactId>
	<configuration>
		<archive>
			<addMavenDescriptor>false</addMavenDescriptor>
		</archive>
	</configuration>
</plugin>

Another option may be to use the Flatten Plugin to remove the test-scoped dependencies from the pom.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Jul 10, 2023
@wilkinsona wilkinsona added status: invalid An issue that we don't feel is valid for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 10, 2023
@nils-christian
Copy link
Author

Thank you for the clarification, @wilkinsona. I opened a new issue: paketo-buildpacks/executable-jar#223

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @nils-christian