Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add dirty waters #317

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

chore: add dirty waters #317

wants to merge 17 commits into from

Conversation

algomaster99
Copy link
Member

No description provided.

@algomaster99
Copy link
Member Author

@randomicecube need help here. see https://github.com/chains-project/sbom.exe/actions/runs/13286604511/job/37096630961?pr=317#step:7:35

@randomicecube
Copy link

Hey Aman, I've tinkered with it a bit on a fork and it's working now (see https://github.com/randomicecube/sbom.exe/actions/runs/13355966510/job/37298751984)
I'm not exactly sure why this error happened, but switching to the most recent version seems to fix it (v1.5 introduces workflows being agnostic to caching, v1.6 pastes the reports into the logs); I'm going to commit the switch to v1.6, and hopefully the check should behave as expected then

@randomicecube
Copy link

@algomaster99 working! Fails because of 4 cases where no source code repo was found, but it's working!

@randomicecube randomicecube mentioned this pull request Feb 16, 2025
Open
@randomicecube randomicecube mentioned this pull request Feb 17, 2025
Open
6 tasks
@algomaster99
Copy link
Member Author

algomaster99 commented Feb 17, 2025
edited
Loading

Thanks @randomicecube !

I'm not exactly sure why this error happened,

great out of sight out of mind :D

Fails because of 4 cases where no source code repo was found, but it's working!

Pasting here for convenience

index package_name github_url github_exists
1 org.sonatype.plexus:[email protected] No_repo_info_found
2 org.sonatype.sisu:sisu-guice@noaop No_repo_info_found
3 org.sonatype.plexus:[email protected] No_repo_info_found
4 org.sonatype.plexus:[email protected] No_repo_info_found

I tried to Ctrl + F on the output of mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.1:tree -Dverbose > /tmp/a.txt sbom-exe-dt.txt. However, I see none of the these dependencies in the tree. I wonder if sbom.exe even has these dependencies.

Also, a feature-request: It would be nice to know which maven module these dependencies belong to.

@randomicecube
Copy link

randomicecube commented Feb 17, 2025
edited
Loading

@algomaster99 I believe some of them come from mvn dependency:resolve-plugins; I get the following:

org.apache.maven.plugins:maven-site-plugin:maven-plugin:3.12.1
  ...
  **org.sonatype.sisu:sisu-guice:jar:no_aop:3.2.3**
  **org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3**
  **org.sonatype.plexus:plexus-cipher:jar:1.4**
...

This one does not return the table's third entry, however (at least not with version 0.0.4, just 0.0.7). Interesting to note too that I think this allowed me to catch a bug on the sisu-guice case -- the version is being considered no_aop, not 3.2.3, since apparently there can be that fourth field between jar and the version, which I had no idea about. I'll fix it!
EDIT: opened issue chains-project/dirty-waters#69

@randomicecube
Copy link

Also, a feature-request: It would be nice to know which maven module these dependencies belong to.

If you mean this chains-project/dirty-waters#67, I think I sent you an e-mail regarding this, I'll bump it

randomicecube added a commit to chains-project/dirty-waters that referenced this pull request Feb 17, 2025
@randomicecube
fix: maven packages may have more than 4 coordinates
3226415 
See chains-project/sbom.exe#317 (comment)
@randomicecube randomicecube mentioned this pull request Feb 17, 2025
Closed
@algomaster99
Copy link
Member Author

Oh so these were plugins. Now it makes sense!

This one does not return the table's third entry

Any idea where that is coming from?

Yes. The coordinates have 4 items - groupId, artifactId, packaging and version. If packaging does not exist (option is jar), then version is third. So your commit to replace the index with -1 is good.

@randomicecube
Copy link

I already dealt with the packaging, I just didn't know about classifiers (which I think is what no_aop is) could also show up; the thing is, I'm not sure if -1 is very generalizable: in mvn dependency:resolve, for example, I think scopes show up too at the end -- so -2 for the resolve case, -1 for the resolve-plugins one?
It's weird, and really bad on maven's end that there's no JSON output like the one for mvn dependency:tree, it'd make this task so much easier

@algomaster99
Copy link
Member Author

t there's no JSON output like the one for mvn dependency:tree

@LogFlames it seems that there is feature request to add JSON support for resolve-plugins :)

@randomicecube
Copy link

I think mvn dependency:resolve and mvn dependency:resolve-plugins would both benefit greatly, for sure! In particular, mvn dependency:resolve has no way (AFAIK) to link transitive dependencies to their parent ones via parsing, so it'd be great to have some structured output

@algomaster99
Copy link
Member Author

@randomicecube so it seems you have fixed the issue with the 4th unknown dependency? What was the problem?

Also, I tried to manually find the 3 packages that don't have source URLs and I could find 2ish out of 3.

  1. org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3 - https://github.com/codehaus-plexus/plexus-sec-dispatcher/tree/sec-dispatcher-1.3
  2. org.sonatype.plexus:[email protected] - https://github.com/codehaus-plexus/plexus-build-api/tree/plexus-build-api-0.0.4 (this commit is not part of git repository)
  3. org.sonatype.plexus:plexus-cipher:jar:1.4 - could not find it

@randomicecube
Copy link

^ignoring cache for this run; need to remove that param from the workflow before merging

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 21, 2025
edited
Loading

Software Supply Chain Report of chains-project/sbom.exe - HEAD

Enabled Checks

The following checks were specifically requested:

  • Source Code
  • Source Code Sha
  • Deprecated
  • Provenance
  • Code Signature
  • Aliased Packages
How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

  • ⚠️⚠️⚠️ : high severity

  • ⚠️⚠️: medium severity

  • ⚠️: low severity

Total packages in the supply chain: 287

❗ Packages with no source code URL (⚠️⚠️⚠️): 10

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 0

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 32

🔒 Packages without code signature (⚠️⚠️): 41

:unlocked: Packages with invalid code signature (⚠️⚠️): 0

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.

Source code links that could not be found(10)
index package_name github_url github_exists command
1 org.codehaus.plexus:[email protected] No_repo_info_found resolve-plugins
2 commons-cli:[email protected] No_repo_info_found resolve-plugins
3 org.codehaus.plexus:[email protected] No_repo_info_found resolve-plugins
4 org.codehaus.plexus:[email protected] No_repo_info_found resolve-plugins
5 javax.servlet:[email protected] No_repo_info_found resolve-plugins
6 commons-beanutils:[email protected] No_repo_info_found resolve-plugins
7 dom4j:[email protected] No_repo_info_found resolve-plugins
8 sslext:[email protected] No_repo_info_found resolve-plugins
9 antlr:[email protected] No_repo_info_found resolve-plugins
10 oro:[email protected] No_repo_info_found resolve-plugins
List of packages with available source code repos but with inaccessible commit SHAs/tags(32)
package_name sha_exists tag_version is_sha sha tag_url message status_code_for_sha command
com.diffplug.spotless:[email protected] False 2.44.3 False Tag 2.44.3 not found in the repo 404 resolve-plugins
com.diffplug.spotless:[email protected] False 3.1.0 False Tag 3.1.0 not found in the repo 404 resolve-plugins
com.diffplug.spotless:[email protected] False 3.1.0 False Tag 3.1.0 not found in the repo 404 resolve-plugins
dev.equo.ide:[email protected] False 1.8.1 False Tag 1.8.1 not found in the repo 404 resolve-plugins
org.jetbrains:[email protected] False 13.0 False Tag 13.0 not found in the repo 404 resolve-plugins
org.eclipse.platform:[email protected] False 3.18.500 False Tag 3.18.500 not found in the repo 404 resolve-plugins
com.diffplug.durian:[email protected] False 1.2.0 False Tag 1.2.0 not found in the repo 404 resolve-plugins
com.diffplug.durian:[email protected] False 1.2.0 False Tag 1.2.0 not found in the repo 404 resolve-plugins
com.diffplug.durian:[email protected] False 1.2.0 False Tag 1.2.0 not found in the repo 404 resolve-plugins
commons-codec:[email protected] False 1.17.0 False Tag 1.17.0 not found in the repo 404 resolve-plugins
org.apache.maven.doxia:[email protected] False 2.0.0 False Tag 2.0.0 not found in the repo 404 resolve-plugins
org.apache.commons:[email protected] False 1.12.0 False Tag 1.12.0 not found in the repo 404 resolve-plugins
org.apache.maven.doxia:[email protected] False 2.0.0 False Tag 2.0.0 not found in the repo 404 resolve-plugins
org.apache.maven.doxia:[email protected] False 2.0.0 False Tag 2.0.0 not found in the repo 404 resolve-plugins
org.apache.maven.doxia:[email protected] False 2.0.0 False Tag 2.0.0 not found in the repo 404 resolve-plugins
org.eclipse.sisu:[email protected] False 0.9.0.M3 False Tag 0.9.0.M3 not found in the repo 404 resolve-plugins
org.eclipse.sisu:[email protected] False 0.9.0.M3 False Tag 0.9.0.M3 not found in the repo 404 resolve-plugins
commons-io:[email protected] False 2.16.1 False Tag 2.16.1 not found in the repo 404 resolve-plugins
org.apache.commons:[email protected] False 1.26.2 False Tag 1.26.2 not found in the repo 404 resolve-plugins
org.apache.commons:[email protected] False 3.17.0 False Tag 3.17.0 not found in the repo 404 resolve-plugins
org.jdom:[email protected] False 2.0.6.1 False Tag 2.0.6.1 not found in the repo 404 resolve-plugins
org.apache.commons:[email protected] False 3.14.0 False Tag 3.14.0 not found in the repo 404 resolve-plugins
commons-io:[email protected] False 2.11.0 False Tag 2.11.0 not found in the repo 404 resolve-plugins
com.google.guava:[email protected] False 33.2.1-jre False Tag 33.2.1-jre not found in the repo 404 resolve-plugins
org.apache.httpcomponents:[email protected] False 4.5.14 False Tag 4.5.14 not found in the repo 404 resolve-plugins
org.apache.httpcomponents:[email protected] False 4.4.16 False Tag 4.4.16 not found in the repo 404 resolve-plugins
commons-io:[email protected] False 2.18.0 False Tag 2.18.0 not found in the repo 404 resolve
io.github.algomaster99:[email protected] False 0.14.2-SNAPSHOT False Tag 0.14.2-SNAPSHOT not found in the repo 404 resolve
io.github.algomaster99:[email protected] False 0.14.2-SNAPSHOT False Tag 0.14.2-SNAPSHOT not found in the repo 404 resolve
org.assertj:[email protected] False 3.27.3 False Tag 3.27.3 not found in the repo 404 resolve
org.junit.platform:[email protected] False 1.12.1 False Tag 1.12.1 not found in the repo 404 resolve
org.junit.platform:[email protected] False 1.12.1 False Tag 1.12.1 not found in the repo 404 resolve

The package manager (maven) does not support checking for deprecated packages.

List of packages without code signature(41)
package_name command
javax.inject:javax.inject@1 resolve
org.apache.maven.wagon:[email protected] resolve-plugins
org.codehaus.plexus:[email protected] resolve-plugins
junit:[email protected] resolve-plugins
classworlds:[email protected] resolve-plugins
org.apache.maven.wagon:[email protected] resolve-plugins
org.apache.maven.wagon:[email protected] resolve-plugins
org.apache.maven.wagon:[email protected] resolve-plugins
jtidy:jtidy@4aug2000r7-dev resolve-plugins
xml-apis:[email protected] resolve-plugins
commons-cli:[email protected] resolve-plugins
org.apache.maven.wagon:[email protected] resolve-plugins
org.apache.maven.wagon:[email protected] resolve-plugins
org.codehaus.plexus:[email protected] resolve-plugins
org.apache.maven.wagon:[email protected] resolve-plugins
com.jcraft:[email protected] resolve-plugins
commons-lang:[email protected] resolve-plugins
org.codehaus.plexus:[email protected] resolve-plugins
com.google.code.findbugs:[email protected] resolve-plugins
org.codehaus.plexus:[email protected] resolve-plugins
xerces:[email protected] resolve-plugins
xml-apis:[email protected] resolve-plugins
commons-codec:[email protected] resolve-plugins
javax.servlet:[email protected] resolve-plugins
commons-beanutils:[email protected] resolve-plugins
commons-digester:[email protected] resolve-plugins
commons-chain:[email protected] resolve-plugins
dom4j:[email protected] resolve-plugins
sslext:[email protected] resolve-plugins
antlr:[email protected] resolve-plugins
org.codehaus.plexus:[email protected] resolve-plugins
org.apache.velocity:[email protected] resolve-plugins
oro:[email protected] resolve-plugins
org.codehaus.plexus:[email protected] resolve-plugins
org.codehaus.plexus:[email protected] resolve-plugins
org.mortbay.jetty:[email protected] resolve-plugins
aopalliance:[email protected] resolve-plugins
classworlds:[email protected] resolve-plugins
org.codehaus.plexus:[email protected] resolve-plugins
io.github.algomaster99:[email protected] resolve
io.github.algomaster99:[email protected] resolve

All packages have valid code signature.

The package manager (maven) does not support checking for provenance.

The package manager (maven) does not support checking for aliased packages.

Call to Action:

👻What do I do now?

For packages without source code & accessible SHA/release tags:

  • Why? Missing or inaccessible source code makes it impossible to audit the package for security vulnerabilities or malicious code.
  1. Pull Request to the maintainer of dependency, requesting correct repository metadata and proper versioning/tagging.

For deprecated packages:

  • Why? Deprecated packages may contain known security issues and are no longer maintained, putting your project at risk.
  1. Confirm the maintainer's deprecation intention
  2. Check for not deprecated versions

For packages without code signature:

  • Why? Code signatures help verify the authenticity and integrity of the package, ensuring it hasn't been tampered with.
  1. Open an issue in the dependency's repository to request the inclusion of code signature in the CI/CD pipeline.

For packages with invalid code signature:

  • Why? Invalid signatures could indicate tampering or compromised build processes.
  1. It's recommended to verify the code signature and contact the maintainer to fix the issue.

For packages without provenance:

  • Why? Without provenance, there's no way to verify that the package was built from the claimed source code, making supply chain attacks possible.
  1. Open an issue in the dependency's repository to request the inclusion of provenance and build attestation in the CI/CD pipeline.

For packages that are aliased:

  • Why? Aliased packages may hide malicious dependencies under seemingly legitimate names.
  1. Check the aliased package and its repository to verify the alias is not malicious.

Notes

Other info:

  • Source code repo is not hosted on GitHub: 117

    This could be due, for example, to the package being hosted on a different platform.

    This does not mean that the source code URL is invalid.

    However, for non-GitHub repositories, not all checks can currently be performed.

index package_name github_url command
1 org.tukaani:[email protected] https://tukaani.org/xz/java.html resolve-plugins
2 javax.inject:javax.inject@1 http://code.google.com/p/atinject/ resolve
3 org.eclipse.jgit:[email protected] https://www.eclipse.org/jgit//org.eclipse.jgit resolve-plugins
4 org.sonatype.plexus:[email protected] http://forge.sonatype.com/spice-parent/plexus-build-api/ resolve-plugins
5 org.apache.maven.plugins:[email protected] http://maven.apache.org/plugins/maven-jar-plugin/ resolve-plugins
6 org.apache.maven:[email protected] http://maven.apache.org/maven-plugin-api resolve-plugins
7 org.apache.maven:[email protected] http://maven.apache.org/maven-project resolve-plugins
8 org.apache.maven:[email protected] http://maven.apache.org/maven-settings resolve-plugins
9 org.apache.maven:[email protected] http://maven.apache.org/maven-profile resolve-plugins
10 org.apache.maven:[email protected] http://maven.apache.org/maven-artifact-manager resolve-plugins
11 org.apache.maven:[email protected] http://maven.apache.org/maven-repository-metadata resolve-plugins
12 org.apache.maven.wagon:[email protected] http://maven.apache.org/wagon/wagon-provider-api resolve-plugins
13 org.apache.maven:[email protected] http://maven.apache.org/maven-plugin-registry resolve-plugins
14 junit:[email protected] http://junit.org resolve-plugins
15 classworlds:[email protected] http://classworlds.codehaus.org/ resolve-plugins
16 org.apache.maven:[email protected] http://maven.apache.org/maven-model resolve-plugins
17 org.apache.maven:[email protected] http://maven.apache.org/maven-artifact resolve-plugins
18 org.apache.maven:[email protected] http://maven.apache.org/shared/maven-archiver/ resolve-plugins
19 org.apache.maven:[email protected] http://maven.apache.org/maven-core resolve-plugins
20 org.apache.maven.wagon:[email protected] http://maven.apache.org/wagon/wagon-providers/wagon-file resolve-plugins
21 org.apache.maven:[email protected] http://maven.apache.org/maven-plugin-parameter-documenter resolve-plugins
22 org.apache.maven.wagon:[email protected] http://maven.apache.org/wagon/wagon-providers/wagon-http-lightweight resolve-plugins
23 org.apache.maven.wagon:[email protected] http://maven.apache.org/wagon/wagon-providers/wagon-http-shared resolve-plugins
24 jtidy:jtidy@4aug2000r7-dev http://jtidy.sourceforge.net resolve-plugins
25 xml-apis:[email protected] http://xml.apache.org/commons/#external resolve-plugins
26 org.apache.maven.reporting:[email protected] http://maven.apache.org/maven-reporting/maven-reporting-api resolve-plugins
27 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia-sink-api resolve-plugins
28 org.apache.maven:[email protected] http://maven.apache.org/maven-error-diagnostics resolve-plugins
29 org.apache.maven.wagon:[email protected] http://maven.apache.org/wagon/wagon-providers/wagon-ssh-external resolve-plugins
30 org.apache.maven.wagon:[email protected] http://maven.apache.org/wagon/wagon-providers/wagon-ssh-common resolve-plugins
31 org.apache.maven:[email protected] http://maven.apache.org/maven-plugin-descriptor resolve-plugins
32 org.apache.maven:[email protected] http://maven.apache.org/maven-monitor resolve-plugins
33 org.apache.maven.wagon:[email protected] http://maven.apache.org/wagon/wagon-providers/wagon-ssh resolve-plugins
34 com.jcraft:[email protected] http://www.jcraft.com/jsch/ resolve-plugins
35 commons-lang:[email protected] http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/ resolve-plugins
36 org.ow2.asm:[email protected] http://asm.ow2.io/ resolve-plugins
37 commons-beanutils:[email protected] https://commons.apache.org/proper/commons-beanutils/ resolve-plugins
38 commons-logging:[email protected] http://commons.apache.org/proper/commons-logging/ resolve-plugins
39 commons-collections:[email protected] http://commons.apache.org/collections/ resolve-plugins
40 org.apache.commons:[email protected] http://commons.apache.org/digester/ resolve-plugins
41 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-components/plexus-i18n resolve-plugins
42 org.ow2.asm:[email protected] http://asm.ow2.io/ resolve-plugins
43 org.ow2.asm:[email protected] http://asm.ow2.io/ resolve-plugins
44 org.apache.maven.plugins:[email protected] http://maven.apache.org/plugins/maven-site-plugin/ resolve-plugins
45 org.apache.maven.reporting:[email protected] http://maven.apache.org/shared/maven-reporting-exec/ resolve-plugins
46 org.apache.maven.reporting:[email protected] http://maven.apache.org/shared/maven-reporting-api/ resolve-plugins
47 org.apache.maven:[email protected] http://maven.apache.org/maven-artifact/ resolve-plugins
48 org.apache.maven.shared:[email protected] http://maven.apache.org/shared/maven-shared-utils/ resolve-plugins
49 com.google.code.findbugs:[email protected] http://findbugs.sourceforge.net/ resolve-plugins
50 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-containers/plexus-component-annotations/ resolve-plugins
51 org.eclipse.aether:[email protected] http://www.eclipse.org/aether/aether-util/ resolve-plugins
52 org.apache.maven:[email protected] http://maven.apache.org/maven-core/ resolve-plugins
53 org.apache.maven:[email protected] http://maven.apache.org/maven-repository-metadata/ resolve-plugins
54 org.apache.maven:[email protected] http://maven.apache.org/maven-model-builder/ resolve-plugins
55 org.apache.maven:[email protected] http://maven.apache.org/maven-aether-provider/ resolve-plugins
56 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-components/plexus-interpolation resolve-plugins
57 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-classworlds/ resolve-plugins
58 org.apache.maven:[email protected] http://maven.apache.org/maven-model/ resolve-plugins
59 org.apache.maven:[email protected] http://maven.apache.org/maven-plugin-api/ resolve-plugins
60 org.apache.maven:[email protected] http://maven.apache.org/maven-settings/ resolve-plugins
61 org.apache.maven:[email protected] http://maven.apache.org/maven-settings-builder/ resolve-plugins
62 org.apache.maven:[email protected] http://maven.apache.org/shared/maven-archiver/ resolve-plugins
63 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia/doxia-sink-api/ resolve-plugins
64 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia/doxia-logging-api/ resolve-plugins
65 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia/doxia-core/ resolve-plugins
66 xerces:[email protected] http://xerces.apache.org/xerces2-j resolve-plugins
67 xml-apis:[email protected] http://xml.apache.org/commons/components/external/ resolve-plugins
68 org.apache.httpcomponents:[email protected] http://hc.apache.org/httpcomponents-client resolve-plugins
69 commons-logging:[email protected] http://commons.apache.org/logging resolve-plugins
70 commons-codec:[email protected] http://jakarta.apache.org/commons/codec/ resolve-plugins
71 org.apache.httpcomponents:[email protected] http://hc.apache.org/httpcomponents-core/ resolve-plugins
72 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-xhtml/ resolve-plugins
73 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-apt/ resolve-plugins
74 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-xdoc/ resolve-plugins
75 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-fml/ resolve-plugins
76 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-markdown/ resolve-plugins
77 org.ow2.asm:[email protected] http://asm.objectweb.org/asm/ resolve-plugins
78 org.ow2.asm:[email protected] http://asm.objectweb.org/asm-tree/ resolve-plugins
79 org.ow2.asm:[email protected] http://asm.objectweb.org/asm-analysis/ resolve-plugins
80 org.ow2.asm:[email protected] http://asm.objectweb.org/asm-util/ resolve-plugins
81 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia-sitetools/doxia-decoration-model/ resolve-plugins
82 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia-sitetools/doxia-site-renderer/ resolve-plugins
83 org.apache.velocity:[email protected] http://velocity.apache.org/tools/devel/ resolve-plugins
84 commons-digester:[email protected] http://jakarta.apache.org/commons/digester/ resolve-plugins
85 commons-chain:[email protected] http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/ resolve-plugins
86 commons-validator:[email protected] http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/ resolve-plugins
87 org.apache.struts:[email protected] http://struts.apache.org resolve-plugins
88 org.apache.struts:[email protected] http://struts.apache.org resolve-plugins
89 org.apache.struts:[email protected] http://struts.apache.org resolve-plugins
90 commons-collections:[email protected] http://commons.apache.org/collections/ resolve-plugins
91 org.apache.maven.doxia:[email protected] http://maven.apache.org/doxia/doxia-tools/doxia-integration-tools/ resolve-plugins
92 org.apache.maven.wagon:[email protected] http://maven.apache.org/wagon/wagon-provider-api resolve-plugins
93 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-components/plexus-archiver resolve-plugins
94 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-components/plexus-io resolve-plugins
95 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-components/plexus-i18n resolve-plugins
96 org.apache.velocity:[email protected] http://velocity.apache.org/engine/releases/velocity-1.5/ resolve-plugins
97 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-components/plexus-velocity resolve-plugins
98 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-utils resolve-plugins
99 org.mortbay.jetty:[email protected] http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty resolve-plugins
100 org.mortbay.jetty:[email protected] http://jetty.mortbay.org/servlet-api resolve-plugins
101 org.mortbay.jetty:[email protected] http://www.eclipse.org/jetty/jetty-parent/project/jetty-util resolve-plugins
102 commons-lang:[email protected] http://commons.apache.org/lang/ resolve-plugins
103 commons-io:[email protected] http://commons.apache.org/io/ resolve-plugins
104 org.apache.maven.shared:[email protected] http://maven.apache.org/shared/maven-shared-incremental/ resolve-plugins
105 org.ow2.asm:[email protected] http://asm.ow2.io/ resolve
106 aopalliance:[email protected] http://aopalliance.sourceforge.net resolve-plugins
107 commons-codec:[email protected] http://commons.apache.org/proper/commons-codec/ resolve-plugins
108 net.sf.jtidy:jtidy@r938 http://jtidy.sourceforge.net resolve-plugins
109 org.ow2.asm:[email protected] http://asm.ow2.io/ resolve
110 org.ow2.asm:[email protected] http://asm.ow2.io/ resolve
111 org.ow2.asm:[email protected] http://asm.ow2.io/ resolve
112 org.apache.maven.plugins:[email protected] http://maven.apache.org/plugins/maven-clean-plugin/ resolve-plugins
113 org.apache.maven.plugins:[email protected] http://maven.apache.org/plugins/maven-resources-plugin/ resolve-plugins
114 classworlds:[email protected] http://classworlds.codehaus.org/ resolve-plugins
115 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-utils resolve-plugins
116 org.apache.maven.shared:[email protected] http://maven.apache.org/shared/maven-filtering/ resolve-plugins
117 org.codehaus.plexus:[email protected] http://plexus.codehaus.org/plexus-components/plexus-interpolation resolve-plugins

Report created by dirty-waters.

Report created on 2025-03-21 10:29:56

  • Tool version: 662a286b
  • Project Name: chains-project/sbom.exe
  • Project Version: HEAD

@algomaster99
Copy link
Member Author

@randomicecube just noticed the report! Thanks! I will take a look at this later this week ;)

@algomaster99 algomaster99 mentioned this pull request Mar 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@algomaster99 @randomicecube