This is something I've been thinking about for a while: a (Maven) project should not have optional dependencies. It just makes a mess in the end and usually surprises users with class not found errors at runtime.
This makes more sense if you split up a project into a multi-module (Maven) project to only bring in required dependencies in the module that actually needs it. Then I can add a check (somehow) that warns me (or fails) if my POMs use optional dependencies. Another informative check would be if transitive dependencies have optional dependencies. Gary On Mon, Feb 19, 2024, 12:12 PM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > Hi Arnout, > > Wow, great job! Until recently I had to upload SBOMs to Dependency > Track manually. I suppose you have some sort of script for that? > > On Mon, 19 Feb 2024 at 15:20, Arnout Engelen <enge...@apache.org> wrote: > > More and more Apache projects are producing SBOMs as part of their > release > > process. Challenges producing and consuming SBOMs are definitely on-topic > > for this list, and ideally we can consolidate that knowledge on the > wiki[0] > > The first challenge that comes to mind is what version of our > transitive dependencies should libraries specify in their SBOMs. I > stress out the case of libraries, because for applications it is > easier: they list the libraries they embed in their distribution. > > I am a big fan of Maven's dependency management, so whenever our > direct dependency `foo` depends on a vulnerable `bar-1.0.0`, I bump > the version of `bar` in the dependency management section of my > project to `1.0.1` and the problem is solved! My test suite will run > using `bar-1.0.1`, my SBOM will contain `bar-1.0.1` and Dependency > Track will not complain. > > However this is just a trick: users of my library will still have > `bar-1.0.0` on their classpath, unless they also bump the version of > `bar` or the `foo` project releases a version that depends on > `bar-1.0.1`. > > There is also another solution in Maven: I could add `bar` as a direct > dependency of my project and bump its version to `1.0.1`. This way > users can also benefit from the version bump, but this adds additional > maintenance work: Dependabot will track new versions of `bar` and the > list of project dependencies becomes long and messy. > > What do you think we should do in this case? > > > If you know of any other projects to include, would like help setting up > > SBOM publishing for your project, contribute 'nightly' SBOM snapshots, or > > discuss other things SBOM, I'm all ears! > > It would be nice to integrate Dependency Track into our release > process. If the process of uploading SBOMs to Dependency Track is > simplified, I could: > > * compile a snapshot, > * check if there are dependency alerts (Dependabot gives us alerts > for direct dependencies, but not the transitive ones), > * bump the vulnerable transitive dependency versions (if possible), > * prepare a release candidate. > > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
