Le 2024-05-13 à 22 h 52, Piotr P. Karwasz a écrit :

If the CycloneDX Maven plugin learns to use those SBOMs as metadata source instead of POM files, your problem should be solved.

I'm not familiar with CycloneDX, but I think that if any SBOM is used with a shaded artifact, then the metadata should said that the dependencies have been transformed that way. For modular dependencies, shading the artifact has major impacts: it breaks modules encapsulation, potentially creating security holes that did not existed in the original libraries. For non-modular dependencies, the impacts are typically smaller, but not necessarily null. For example, a library could perform security checks based on package names, and those checks may become invalid if the packages have been renamed. It does not mean that SBOM are useless, but I think that shading is a very significant transformation that should be declared in the metadata, and not give the impression that the dependencies are in their original form.

    Martin

Reply via email to