Skip to content

Multi variant#178

Merged
loosebazooka merged 2 commits into
mainfrom
multi-variant
Jul 9, 2026
Merged

Multi variant#178
loosebazooka merged 2 commits into
mainfrom
multi-variant

Conversation

@loosebazooka

@loosebazooka loosebazooka commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

fixes #177
fixes #115

We have to keep track of all the files that are referenced from a single component. Unlike maven, gradle treats them all as a single "component" -- so differentiating them is a bit weird. But even maven does it a bit weird -- potentially assigning dependencies to a variant that does not explicitly define any.

If a component is represented by multiple artifacts, create a logical component for it and add in all artifacts via a "CONTAINS" relationship. According to gemini, analysis tools should use this as a signal that it's a local parent of multiple files.

                           ┌────────────────────────────┐
                           │    rootPackage (main)      │
                           └─────────────┬──────────────┘
                                         │
                                     DEPENDS_ON
                                         │
                                         ▼
                    ┌──────────────────────────────────────────┐
                    │ org.xmlresolver:xmlresolver (container)  │
                    └──────────┬──────────────┬──────────┬─────┘
                               │              │          │
    			                 CONTAINS       CONTAINS    DEPENDS_ON
                               │              │          │
                               ▼              ▼          ▼
                ┌──────────────┴──────┐ ┌─────┴──────┐ ┌─┴───────────┐
                │  xmlresolver (jar)  │ │xmlresolver │ │ httpclient5 │
                │                     │ │ (data)     │ │ (jar)       │
                └─────────────────────┘ └────────────┘ └─────────────┘

I don't think this behavior is ideal in the case where a subproject is bringing in a different variant of module that the root project is, as we lose some information about which project truly depends on a component. But for security analysis, at worst, this might attribute the dependency to an extra project (but configuring a project like this is probably weird anyway).

Signed-off-by: Appu <appu@google.com>
@loosebazooka
loosebazooka requested review from lumjjb and mathjeff July 8, 2026 18:12

@mathjeff mathjeff left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Unrelated: we're back from Singapore so I'm approximately in the same time zone again)

Comment thread src/main/java/org/spdx/sbom/gradle/utils/SpdxDocumentBuilder.java Outdated
@loosebazooka
loosebazooka force-pushed the multi-variant branch 2 times, most recently from 8912f57 to 45d988b Compare July 8, 2026 19:19
@loosebazooka

loosebazooka commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator Author

I actually think I might want to this differently by creating a logical grouping for each component type: "xmlresolver" and then adding a contains relationship on each of variants "xmlresolver.java" and "xmlresolver-data.jar". BRB with new impl.

@loosebazooka
loosebazooka force-pushed the multi-variant branch 3 times, most recently from 3e660b8 to b1a36c8 Compare July 8, 2026 20:06
@loosebazooka

Copy link
Copy Markdown
Collaborator Author

The classifier problem is a bit weird because it's a weird pattern:

  1. It's not clear if the non-main jars/files should resolve the dependency tree (does lib-x.amd64 really need the full dependency tree of lib-x.jar?)
  2. Classified artifacts should probably just each be their own package (and we can represent that in spdx)
  3. Spdx 3.0 has the concept of bundle which I think fits logically nice here and if we move to generating spdx3.0 content, it would make more sense.

In the end, variants seem to be bad but we can kind of handle them here.

If a component is represented by multiple artifacts, create a
logical component for it and add in all artifacts via a
"CONTAINS" relationship -- according to gemini, analysis tools
should use this as a signal that it's a local parent of multiple
files.

Also modify purl extraction to include classifier and type

Signed-off-by: Appu <appu@google.com>
@loosebazooka
loosebazooka merged commit 81b3bda into main Jul 9, 2026
1 check passed
@loosebazooka
loosebazooka deleted the multi-variant branch July 9, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Error "cannot merge duplicate" when building sbom Resolved external artifacts reconciliation throwing IllegalStateException

2 participants