Hi Syft Team,
I tried to generate an SBOM for an application based on a Maven pom.xml using the new feature to gather transitive dependencies. So when enabling SYFT_JAVA_RESOLVE_TRANSITIVE_DEPENDENCIES and executing a scan with Syft the result was a huge number of packages which seemed not quite clear to me. Looking into it in more detail I figured that Syft does consider dependencies e.g. with the scope test or provided also as transitive dependencies. This was unexpected at least for me. Usually when looking into transitive dependencies of Java components I would only think of dependencies with the scope “compile” (and again their dependencies with the scope “compile” etc). Just to give you a simple sample:
With this pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>commons-compress-example</artifactId>
<version>1.0-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.27.0</version>
</dependency>
</dependencies>
</project>
Syft will create an SBOM (e.g. in CycloneDX format) with 167 components. I would only expect a few (these: Open Source Insights).
So now I am not sure whether my expectation is not correct or maybe I am using Syft with incorrect parameters. I would appreciate any hint.
Best
Dirk