sbom generation of dependencies seems inaccurate [372738561]

Assigned

Bug

Status Update

No update yet.

Description

au...@google.com

created issue #1

Oct 10, 2024 08:44PM

sbom generation of dependencies seems inaccurate.

Take androidx.compose.ui:ui, this project does not depend on protobuf-java, but sbom claims that it does, see https://ci.android.com/builds/submitted/12483557/androidx/latest/sboms%2Fandroidx%2Fcompose%2Fui%2Fui%2F1.8.0-alpha04%2Fui-1.8.0-alpha04.spdx.json

Looking at the dependencies of this project, it has protobuf-java in some detached configuration, but that should not be contributing to sbom as it is likely just used by some tool.

Comments

au...@google.com <au...@google.com> #2Oct 10, 2024 08:46PM

Project: platform/frameworks/support
Branch: androidx-main
Author: Radha Nakade <radhanakade@google.com>
Link: https://android-review.googlesource.com/3510337

Migrate traffic from pixel2 to mediumphone on FTL emulators.

Expand for full commit details

Migrate traffic from pixel2 to mediumphone on FTL emulators. 
 
Bug: 396715333 
 
Test: ./gradlew emoji2:emoji2-emojipicker:ftlmediumphoneapi33 
Change-Id: If5555443ca1a91479128e1bd6f4f909154c40ba2

Files:

M buildSrc/private/src/main/kotlin/androidx/build/FtlRunner.kt

Hash: c76f8094154101867327912e659ae47509755957
Date: Wed Feb 26 11:27:46 2025

au...@google.com <au...@google.com> #3Oct 10, 2024 08:47PM

alanv: it seems that this might be the cause why external folks were getting cve alerts for compose.

au...@google.com <au...@google.com> #4Oct 10, 2024 08:58PM

asfalcone@ can you please triage this?

as...@google.com <as...@google.com> #5Oct 10, 2024 09:57PM

We don't use the sboms to determine dependencies for vulnerability scanning. We use .pom files and other scanners like Snyk use build.gradle. While I agree that these sbom files are inaccurate, I don't believe this is higher than a P1 and can be resolved in the next month.

al...@google.com <al...@google.com> #6Oct 14, 2024 01:34PM

If they are doing more harm than good at the moment, can we disable them and take down any incorrect published files?

Message last modified on Oct 15, 2024 04:30PM

as...@google.com <as...@google.com> #7Oct 21, 2024 12:57PM

Planning to disable SBOMB generation as KGP upgrade to 2.1.0-* breaks SBOMs even further. Will re-enable in early 2025.

au...@google.com <au...@google.com> Oct 22, 2024 04:35PM

Assigned to au...@google.com.

fs...@google.com <fs...@google.com> #8Oct 31, 2024 01:20PM

I looked into this a bit and I'm starting to think the sbom might actually be correct. The compose-ui aar contains an inspector.jar which contains protobuf classes in classes.dex, and it seems like that's intentional according to aosp/1206705.

So, it's not a dependency of compose-ui itself, but it does exist in the aar, which I would think makes the sbom accurate but confusing. However if it's not, it would be simple to ignore anything added as a part inspector.jar. Does that seem correct?

fs...@google.com <fs...@google.com> #9Nov 5, 2024 07:43PM

Also I should have mentioned that the inclusion of the inspector.jar contents also seems very intentional from the work Jeff did to make those dependencies visible aosp/2528379.

aurimas@google.com what do you think? Is it correct to include those dependencies in the sbom?