Java maven project, too many errors and warnings.

[WestFarmer]

version:

Application: syft
Version:    1.12.2
BuildDate:  2024-09-11T14:12:10Z
GitCommit:  fcd5ec951de6b3fc1f1aa2a36968356d2eb22170
GitDescription: v1.12.2
Platform:   linux/amd64
GoVersion:  go1.22.6
Compiler:   gc

used command:

syft scan dir:. -o cyclonedx=target/sbom-cyclonedx.cdx -vv

results: sbom generated, but with many errors and warns, and no dependencies in output, hence no relationships at all...

such as:

DEBUG error adding dependency dependencyID=(groupId: org.springframework.boot artifactId: spring-boot-devtools version: ) error=invalid maven pom specification, require non-empty values for groupID: 'org.springframework.boot', artifactID: 'spring-boot-devtools', version: '' mavenID=(groupId: com.wxt.itps.services artifactId: public version: 0.0.1-SNAPSHOT) pomLocation=Location<id=707 RealPath="/pom.xml">

DEBUG error attempting to resolve pom licenses error=unable to resolve pom org.springframework.boot spring-boot-starter-parent 3.2.4: %!w(<nil>) mavenID=(groupId: com.wxt.itps.services artifactId: public version: 0.0.1-SNAPSHOT)


DEBUG error attempting to find sub-group licenses error=unable to resolve pom com.wxt.itps public 0.0.1-SNAPSHOT: %!w(<nil>) mavenID=(groupId: com.wxt.itps artifactId: public version: 0.0.1-SNAPSHOT)


DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0xc000347280 To:Pkg(name=\"spring-boot-devtools\" version=\"\" type=\"java-archive\" id=\"033e397b919ab6bc\") Type:contains Data:<nil>}"

tried to scan a npm project, also no dependencies element in output, while see many errors in verbose log:

[0006] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"zrender\" version=\"5.4.4\" type=\"npm\" id=\"31b5925a6366e164\") To:Location<RealPath=\"/pnpm-lock.yaml\"> Type:evident-by Data:<nil>}"

[WestFarmer]

all those logs lack of real helpful information to address underlying problem.

[kzantow]

@WestFarmer -- unable to resolve pom org.springframework.boot spring-boot-starter-parent 3.2.4 -- this seems to be a fairly clear message that Syft needs to resolve this POM, but was unable to. This is because Syft does not enable network resolution for anything by default. Maven, however, benefits from network resolution considerably and can be enabled with --enrich flag. (e.g. --enrich all).

That said, you still won't see any dependency relationships: the Java cataloger needs to get these implemented -- that is actively being worked on and should land reasonably soon, though.

[WestFarmer]

@kzantow

Syft needs to resolve this POM

from where ? local maven repository or the final artifact built by maven?
all the jars and poms already in my local maven repository
all the poms already exists in the final artifact built by maven

so this still doesn't make sense

[WestFarmer]

@kzantow

[ggfan@fedora 4A-services-public]$ syft scan dir:. -o syft-json=target/sbom-syft.json -vv --enrich all
unknown flag: --enrich

[wagoodman]

@WestFarmer this was a feature newly added with syft 1.13, mind updating and trying again?

[kzantow]

already in my local maven repository

The --enrich all will enable looking in your local maven. ~/.m2/repository for artifacts; this should help you considerably and should be very fast if no network is required 👍