Le 2024-05-13 à 22 h 52, Piotr P. Karwasz a écrit :
If the CycloneDX Maven plugin learns to use those SBOMs as metadata
source instead of POM files, your problem should be solved.
I'm not familiar with CycloneDX, but I think that if any SBOM is used
with a shaded artifact, then the metadata should said that the
dependencies have been transformed that way. For modular dependencies,
shading the artifact has major impacts: it breaks modules encapsulation,
potentially creating security holes that did not existed in the original
libraries. For non-modular dependencies, the impacts are typically
smaller, but not necessarily null. For example, a library could perform
security checks based on package names, and those checks may become
invalid if the packages have been renamed. It does not mean that SBOM
are useless, but I think that shading is a very significant
transformation that should be declared in the metadata, and not give the
impression that the dependencies are in their original form.
Martin
