Navigation

    Inedo Community Forums

    Forums
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. christian.georg_5533
    3. Posts
    C
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    Posts made by christian.georg_5533

    • RE: SBOM Dependency Tree is lost when importing and exporting

      Hi Alana,
      thanks for your response. The main beenfit of the depenency tree is to understand what needs to be done to get ridd of a certain component. If there is a component in your supply chain that you would like to get ridd of, then there is a big diference if this is a direct dependency that you included and that could possible be solved quite easily or if this is a component that is part of another direct dependecy (or even multiple other dependencies) where you would neet do remove the direct dependencie(s).

      I do however understand from your response that keeping the dependency tree is not planned in the near future and that using ProGet as a central SBOM Repository to enable further workflows which need the dependency tree is not the way to go as the focus of Proget is the management of the feeds and providing validated and approved packages
      Best regards
      Chris

      posted in Support
      C
      christian.georg_5533
    • RE: SBOM Dependency Tree is lost when importing and exporting

      Hi Dan,
      thanks for following this up. I cannot provide you with one of our internal SBOMs but I can replicate the same behaviour with external examples, likte the sbom postet here:
      https://github.com/CycloneDX/bom-examples/blob/master/SBOM/keycloak-10.0.2/bom.json

      This original SBOM has a dependencies secion showing the hierarchie of the packages and thus allowing us to distringuish between direct dependencies and transitive dependencies which cannot always be controlled in the way we would like to.

      "dependencies": [
    {"ref": "pkg:maven/org.bouncycastle/bcprov-jdk15on@1.62?type=jar"},
    {"ref": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.62?type=jar"},
    {"ref": "pkg:maven/org.jboss.logging/jboss-logging@3.4.1.Final?type=jar"},
    {"ref": "pkg:maven/com.sun.activation/jakarta.activation@1.2.1?type=jar"},
    {
      "ref": "pkg:maven/org.keycloak/keycloak-common@10.0.2?type=jar",
      "dependsOn": ["pkg:maven/com.sun.activation/jakarta.activation@1.2.1?type=jar"]
    },
    {"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.10.1?type=jar"},
    {
      "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.1?type=jar",
      "dependsOn": ["pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.10.1?type=jar"]
    },
...
]

      When importing this section and exporting it from proget 2025.25 build 11 the complete dependencies section is missing and therefore any information on the dependency hierarchie.

      Best regards

      Chris

      posted in Support
      C
      christian.georg_5533
    • SBOM Dependency Tree is lost when importing and exporting

      Hi There,
      I am currently evaluating ProGet for SBOM management and one of the things I have noticed is that proget is not creating a dependency tree showing which dependencies are direct dependencies and which dependencies are only transitive dependencies. When importing an SBOM including the dependencies and then exporting it again the dependency information is lost.

      Am I doing something wrong here or is there no way to preserve the dependency information in the SBOM

      Thanks
      Chris

      posted in Support
      C
      christian.georg_5533
    • 1 / 1