Changes to 'createJarBom' break single-module Gradle project when running multi-language

[malice00]

While working on the final issues for Gradle projects, I rebased to the latest master branch and started getting problems.

On multi-project Gradle projects, I get a warning that there is a component under metadata.component.components with the same data as the one in metadata.component:

===== WARNINGS =====
[
  'Found parent component with name fineract in metadata.component.components'
]

Then again, in another test-project, it doesn't complain, but there is this new entry:

        {
          "group": "",
          "name": "android",
          "version": "latest",
          "type": "application",
          "bom-ref": "pkg:maven/android@latest",
          "purl": "pkg:maven/android@latest"
        }

When running a single sub-projects in Gradle, I do not get any warning (I seem to remember I had some at some point...), but the component that was written in metadata.component for the Gradle-project, is now overwritten with a similar component -- but since the bom-ref is different, all dependencies are referencing the wrong component!

I have been able to trace it back to a commit for 'evinse' (#472), where the 'createJarBom'-method was changed to work with a 'parentComponent', which was initialized with 'createDefaultParentComponent'.
Unfortunately, I didn't notice when writing #470, but it seems for multi-project Gradle, the warning can just be ignored. Still, it would probably be a good idea to take a look at this and fix it.

Also: when I add -t gradle to my command, cdxgen doesn't scan for JARs, so then all is fine!

[prabhu]

@malice00 Nice find! Is there a test project to reproduce this? We need to filter the metadata.component.components for anything that matches the metadata.component before adding here.

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L350

Also, note these warnings were added to catch bugs like this.

https://github.com/CycloneDX/cdxgen/blob/master/validator.js#L90

[malice00]

@prabhu I can probably commit and push my current work soon, then you'd have a test. Just want to make sure most of it works, otherwise you'd be looking through code that will most likely change a lot still... :-)

I can now also reproduce the warning on the single project: I forgot to add a parameter for Gradle. Weird though that without it, the bom-ref appears to be valid, although it is never written in the SBOM...

===== WARNINGS =====
[ 'Invalid ref in dependencies pkg:gradle/Test/[email protected]?type=jar' ]

Edit:
And before you ask: yes, I have changed the type to 'gradle' to make it easier for me to find my changes. I'm not sure if we should leave it that way, but it does show that these are not your average Maven JARs (eg you could filter them to not be sent to OSS Index & others during vulnerability checks). Also, afaik Gradle doesn't even necessarily force you to write Java-projects, so the default purl currently generated (with 'jar' in it) is probably also something that could/should be changed.

[prabhu]

As per purl, maven is the type for all jars. However, bom-ref could be any string including bom-link (which might exist in a different document)

[prabhu]

@malice00 Could you try using this commit?

3cc2018

[malice00]

@prabhu That commit actually made it worse: now all of Gradle's sub-projects are gone!

I added some output when the Gradle-part in cdxgen is done, and this is what the parentComponent looks like (partially, it's very big):

{
  "name": "Test",
  "type": "application",
  "group": "",
  "version": "latest",
  "properties": [
    {
      "name": "buildFile",
      "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android/build.gradle"
    },
    {
      "name": "projectDir",
      "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android"
    },
    {
      "name": "rootDir",
      "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android"
    }
  ],
  "purl": "pkg:gradle/Test@latest?type=jar",
  "bom-ref": "pkg:gradle/Test@latest?type=jar",
  "components": [
    {
      "name": "app",
      "type": "application",
      "group": "Test",
      "version": "1.0.0",
      "properties": [
        {
          "name": "buildFile",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android/app/build.gradle"
        },
        {
          "name": "projectDir",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android/app"
        },
        {
          "name": "rootDir",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android"
        }
      ],
      "purl": "pkg:gradle/Test/[email protected]?type=jar",
      "bom-ref": "pkg:gradle/Test/[email protected]?type=jar"
    },
    {
      "name": "criusm_ssl-pinning",
      "type": "application",
      "group": "Test",
      "version": "latest",
      "properties": [
        {
          "name": "buildFile",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/node_modules/@criusm/ssl-pinning/android/build.gradle"
        },
        {
          "name": "projectDir",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/node_modules/@criusm/ssl-pinning/android"
        },
        {
          "name": "rootDir",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android"
        }
      ],
      "purl": "pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar",
      "bom-ref": "pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar"
    },
... and more sub-components ...

Then the jar-parser kicks in:
Parsing /home/roland/test/android/gradle/wrapper/gradle-wrapper.jar
And finally the SBOM get's validated and printed:

===== WARNINGS =====
[
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/[email protected]?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/jail-monkey@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-async-storage_async-storage@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-blob-util@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-clipboard_clipboard@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_cameraroll@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_datetimepicker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_netinfo@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-config@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-cookies@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-device-info@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-document-picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-file-viewer@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_app@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_messaging@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-fs@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-gesture-handler@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-i18n@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-image-crop-picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-keychain@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-locale@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-masked-view_masked-view@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-permissions@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-reanimated@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-safe-area-context@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-screens@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-share@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-splash-screen@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-svg@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-version-number@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-webview@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/rn-qr-generator@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/[email protected]?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-keychain@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-i18n@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-cookies@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-async-storage_async-storage@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-clipboard_clipboard@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_cameraroll@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_datetimepicker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_netinfo@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-community_picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_app@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_messaging@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-masked-view_masked-view@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/jail-monkey@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-blob-util@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-config@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-device-info@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-document-picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-file-viewer@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-fs@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-gesture-handler@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-image-crop-picker@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-locale@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-permissions@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-reanimated@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-safe-area-context@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-screens@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-share@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-splash-screen@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-svg@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-version-number@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-webview@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/rn-qr-generator@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-keychain@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-i18n@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-cookies@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/criusm_ssl-pinning@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-async-storage_async-storage@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-clipboard_clipboard@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-community_cameraroll@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-community_datetimepicker@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-community_netinfo@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-community_picker@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-firebase_app@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-firebase_messaging@latest?type=jar',
  'Invalid ref in dependencies.dependsOn pkg:gradle/Test/react-native-firebase_app@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-masked-view_masked-view@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/jail-monkey@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-blob-util@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-config@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-device-info@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-document-picker@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-file-viewer@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-fs@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-gesture-handler@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-image-crop-picker@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-locale@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-permissions@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-reanimated@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-safe-area-context@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-screens@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-share@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-splash-screen@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-svg@latest?type=jar',
  'Invalid ref in dependencies pkg:gradle/Test/react-native-version-number@latest?type=jar',
  ... 2 more items
]
    "component": {
      "name": "Test",
      "type": "application",
      "group": "",
      "version": "latest",
      "properties": [
        {
          "name": "buildFile",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android/build.gradle"
        },
        {
          "name": "projectDir",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android"
        },
        {
          "name": "rootDir",
          "value": "/home/itsv.org.sv-services.at/[email protected]/temp/test/android"
        }
      ],
      "purl": "pkg:gradle/Test@latest?type=jar",
      "bom-ref": "pkg:gradle/Test@latest?type=jar",
      "components": []
    }

You can actually reproduce this with the current master-branch of cdxgen and fineract -- put a console.log on line 1489 to see the parentComponent: console.log(JSON.stringify(parentComponent, null, 2)); and check the output and generated bom.json...

[prabhu]

@malice00 Bringing back sub-projects turned out to be easy. However, getting fineract to validate is going to take some time. Will first get fineract working then we can test our repo with the fix.

Could you join discord so that we can collaborate easily?

[prabhu]

@malice00 could you try this PR #481 branch?

#481

[malice00]

Could you join discord so that we can collaborate easily?

I'll set it up tonight when I get home.