Jenkins-core with minimal version is included in bom.json when running makeAggregateBom for a Jenkins plugin

[Bruceliu-rs]

I am trying creating bom.json for many Jenkins plugins, but I found the generated bom.json includes jenkins-core dependency with the minimal version declared in the plugin's pom.xml, here is a sample for artifactory plugin https://github.com/jenkinsci/artifactory-plugin.
My Jenkins version(2.479.2) is much higher than the minimal version(2.263.1). After the bom.json is uploaded into DT, its risk score is very high because of this very old 2.263.1 dependency, which is a false alarm, because my Jenkins has upgraded to 2.479.2. Any way to exclude this dependency, I tried -DexcludeArtifactId, but the Jenkins-core artifactid didn't exist in the pom.xml.

Here is the version defined in pom.xml.
...


<jenkins.version>2.263.1</jenkins.version>
<java.level>8</java.level>
...

Here is the dependency generated in bom.json
......
"type" : "library",
"bom-ref" : "pkg:maven/org.jenkins-ci.main/[email protected]?type=jar",
"group" : "org.jenkins-ci.main",
"name" : "jenkins-core",
"version" : "2.263.1",
"description" : "Jenkins core code and view files to render HTML.",
......

I manually add this plugin into the artifactory plugin's pom.xml.
......

    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.9.1</version>
        <executions>
            <execution>
                <phase>package</phase>
                <goals>
                    <goal>makeAggregateBom</goal>
                </goals>
            </execution>
        </executions>
    </plugin>

......
Did I do anything wrong?

Thanks. Any comments are welcome.

[Bruceliu-rs]

May I have some update please? Thanks.

[hboutemy]

I am trying creating bom.json for many Jenkins plugins, but I found the generated bom.json includes jenkins-core dependency with the minimal version declared in the plugin's pom.xml,

My Jenkins version(2.479.2) is much higher than the minimal version(2.263.1)

cyclonedx-maven-plugin works at build time, then reports on build dependencies: no surprise it knows only about build-time versions, and not each and every runtime from every user.

After the bom.json is uploaded into DT, its risk score is very high because of this very old 2.263.1 dependency, which is a false alarm, because my Jenkins has upgraded to 2.479.2

I see the consequence, yes.

it seems you're not interested into build time, but runtime (like OBOM): that's not the purpose of cyclonedx-maven-plugin.

[Bruceliu-rs]

Thanks for the reply. Yes, we are mainly interested in run time. We are trying syft now. Thanks.

[hboutemy]

I'm interested to know how you expect to use syft on a Jenkins plugin and what results your get:

• cyclonedx-maven-plugin is run against source code in GH
• you run syft against what, please?

Thinking out loud: Jenkins plugin is not distributed as a container image but IIRC .hpi file. Is it about running syft against .hpi? What results does it bring?

[Bruceliu-rs]

Yes, luckily syft supports .jpi and .hpi format, so it will generate the cyclone json file directly. The cmd is something like this: syft ./artifactory.jpi -o cyclonedx-json=artifactory.sbom.json

[hboutemy]

FTR: use case cited here helped me dig into more use cases for CycloneDX/specification#578
we'll probably have to update cyclonedx-maven-plugin approach in the future