├── .gitignore ├── LICENSE ├── README.md ├── bin └── README.md ├── eval-sboms.sh └── pet ├── 2-deptree.txt ├── 2-exp-purls.txt ├── 3-git-cycl-purls.txt ├── 3-git-cycl-sbom.json ├── 3-git-cycl-sbom.log ├── 3-git-syft-purls.txt ├── 3-git-syft-sbom.json ├── 3-git-syft-sbom.log ├── 3-git-triv-purls.txt ├── 3-git-triv-sbom.json ├── 3-git-triv-sbom.log ├── 4-jartf.txt ├── 4-pkg.log ├── 5-pkg-jbom-purls.txt ├── 5-pkg-jbom-sbom.json ├── 5-pkg-jbom-sbom.log ├── 5-pkg-syft-purls.txt ├── 5-pkg-syft-sbom.json ├── 5-pkg-syft-sbom.log ├── 6-img-syft-purls.txt ├── 6-img-syft-sbom.json ├── 6-img-syft-sbom.log ├── 6-img-triv-purls.txt ├── 6-img-triv-sbom.json ├── 6-img-triv-sbom.log ├── 7-run-jbom-purls.txt ├── 7-run-jbom-sbom.json ├── 7-run-jbom-sbom.log └── sbom.log /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | bin/syft 3 | bin/trivy 4 | bin/jbom.jar -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This repository facilitates the evaluation and comparison of SBOM generators for 2 | Java/Maven development projects. 3 | 4 | The bash script `eval-sboms.sh` processes dependencies of a given Maven project 5 | on one side, and creates SBOMs in CycloneDX format on the other side (using 6 | different SBOM generators at different points in time). Package URLs (PURLs) are 7 | extracted from both ends to determine SBOM true-positives (components correctly 8 | reported), false-negatives (components missing in the SBOM) and 9 | [recall](https://en.wikipedia.org/wiki/Precision_and_recall). 10 | 11 | Notes: 12 | - The SBOM generators considered are [Eclipse jbom](https://github.com/eclipse/jbom/), [Syft](https://github.com/anchore/syft/), [Trivy](https://github.com/aquasecurity/trivy/) and the [CycloneDX Maven Plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin). 13 | - Per default, the script only considers Maven dependencies with scope `compile` 14 | and `runtime`. 15 | - The evaluation relies on component PURLs only. Other identifiers such as the 16 | simple component name or digest, where present, are not considered. 17 | 18 | ## Prerequisites 19 | 20 | - Git 21 | - Java and Maven (the required versions depend on the project analyzed) 22 | - [jq v1.6](https://stedolan.github.io/jq/) 23 | - SBOM generators `bin/jbom.jar`, `bin/syft` and `bin/trivy` (see the respective download page) 24 | 25 | ## Run the script 26 | 27 | Details of the Maven project to be analyzed are specified through shell 28 | variables in the header of the script. 29 | 30 | The current values point to [Spring Boot 31 | PetClinic](https://github.com/spring-petclinic/spring-petclinic-rest) (REST) 32 | v2.6.2, which produces an executable JAR and which has also been published on 33 | Docker Hub. 34 | 35 | Starting the script via `./eval-sboms.sh --dir pet` will create a new folder 36 | `pet` into which the project will be cloned and where the SBOM generators will 37 | be run at different lifecycle stages according to the following matrix (also see 38 | `./eval-sboms.sh --help`): 39 | 40 | ``` 41 | Lifecycle Stage | CycloneDX Maven Plugin | Eclipse jbom | Syft | Trivy 42 | -------------------------- | ---------------------- | ------------ | ---- | ----- 43 | After git clone with dir | x | | x | x 44 | After mvn package with JAR | | x | x | 45 | With Docker image | | | x | x 46 | At JAR runtime | | x | | 47 | ``` 48 | 49 | The script output is structured into several steps, e.g., cloning the project or 50 | packaging the Maven project, and most steps produce one or more files prefixed 51 | with the respective step number. `2-exp-purls.txt`, for instance, contains the 52 | PURLs that will be expected in the generated SBOMs and which are used to 53 | determine TP, FN and recall. 54 | 55 | The commands used to invoke the SBOM generators are printed to the console, 56 | prefixed with `+ `, in order to re-run single generators, e.g., to reproduce 57 | single SBOMs or change configuration options. 58 | 59 | Here some sample output until step 3: 60 | 61 | ``` 62 | Check prerequisites: OK 63 | 64 | 1) Clone repo https://github.com/spring-petclinic/spring-petclinic-rest into folder pet 65 | Checkout commit ee236caf798dde6ead7ab0726fb1cea96ca398ae 66 | 67 | 2) Resolve dependencies declared in pet/./pom.xml 68 | 69 | Raw text output in pet/2-deptree.txt contains the following deps: 70 | - 99 compile 71 | - 6 runtime 72 | - 0 provided 73 | - 0 system 74 | - 26 test 75 | 76 | SBOM true-positives (TP), false-negatives (FN) and recall will be computed for deps with scope(s): compile,runtime 77 | pet/2-exp-purls.txt - 105 PURLs have such scope(s) 78 | 79 | 3) Create SBOMs with directory 80 | 81 | Invoke CycloneDX (cycl): OK 82 | + mvn -DoutputFormat=json -DoutputDirectory=pet -DoutputName=3-git-cycl-sbom org.cyclonedx:cyclonedx-maven-plugin:2.7.5:makeBom -f pet/pom.xml > pet/3-git-cycl-sbom.log 2>&1 83 | pet/3-git-cycl-purls.txt - Contains 105 component PURLs in SBOM pet/3-git-cycl-sbom.json (TP = 105, FN = 0, recall = 1.00) 84 | ``` 85 | 86 | ## DIY - Run script on other Maven projects 87 | 88 | To scan other Maven projects, simply create a copy of the script and specify the following 89 | variables in the script header: 90 | ``` 91 | repo= 92 | commit= 93 | name= 94 | version= 95 | image= # Leave empty if there's no Docker image to scan 96 | jar= 97 | executable_jar= # True if the JAR can be started with 'java -jar', false otherwise 98 | prj_path="." # Relative path from Git to folder with pom.xml 99 | ``` 100 | 101 | For example, the following can be used to scan the [OWASP 102 | Webgoat](https://github.com/WebGoat/WebGoat) application, another Spring Boot 103 | application published as Docker image: 104 | ``` 105 | repo=https://github.com/WebGoat/WebGoat.git 106 | commit=3fd66ee9d94ae2673bff0867eeda5fadfd7a8dde 107 | name=webgoat 108 | version=2023.4 109 | image=webgoat/webgoat:v2023.4 110 | jar=$name-$version.jar 111 | executable_jar=true 112 | prj_path="." 113 | ``` 114 | 115 | Maven projects that do not use the default `project.build.directory` (target) or 116 | whose JARs require additional system properties when started with `java -jar` 117 | require further script adjustments. 118 | 119 | ## Adding SBOM generators 120 | 121 | To add a new SBOM generator, it is sufficient to invoke it with function 122 | `run_sbom_generator` in one of the folowing functions, which correspond to the 123 | different lifecycle stages: `3_sbom_after_clone`, `5_sbom_after_package`, 124 | `6_sbom_with_image` and `7_sbom_at_runtime`. 125 | 126 | To follow the existing naming convention, the CycloneDX SBOM should be saved in 127 | JSON format to a file `---sbom.json`, whereby 128 | - `-` should be one of `3-git`, `5-pkg`, `6-img` or `7-run` 129 | - `` should be a short name of the tool 130 | 131 | The PURLs will be extracted into a text file `` by calling function 132 | `find_purls_in_json_sbom `, which will also determine TP, FN and 133 | recall. 134 | 135 | For example, the following code snippet shows the invocation of Syft in 136 | `6_sbom_with_image`: 137 | 138 | ``` 139 | # Syft 140 | run_sbom_generator "Syft" "./bin/syft packages $image --file $dir/6-img-syft-sbom.json -o cyclonedx-json > $dir/6-img-syft-sbom.log 2>&1" 141 | find_purls_in_json_sbom "$dir/6-img-syft-sbom.json" "$dir/6-img-syft-purls.txt" 142 | ``` 143 | 144 | ## Background 145 | 146 | The shell script extract sets of components from a Java/Maven project on one 147 | side, and from generated SBOMs on the other side. Those sets will be stored in 148 | `txt` files that are compared with `comm` to compute the accuracy of an SBOM in 149 | regards to containing the "expected" components. 150 | 151 | In the context of this script, we expect an SBOM to contain PURL identifiers for 152 | all Maven compile and runtime dependencies (**where PURL namespace, name and 153 | version correspond to the Maven groupId, artifactId and version**). This subset 154 | of Maven dependencies is required at application runtime, and must be monitored 155 | in regards to known vulnerabilities, which is today's primary SBOM use-case. 156 | 157 | You can adjust `expected_mvn_scopes` if you want to consider other scopes. 158 | 159 | The decision to focus on PURLs makes it possible to automate this comparison to 160 | a greater extent. They are well-defined and created by all SBOM generators for 161 | most of the reported components, which is not the case for digests or CPEs. 162 | 163 | The `txt` files produced during SBOM generation can be easily used to identify 164 | false-negatives, i.e. expected component PURLs not present in the generated 165 | SBOMs. Examples: 166 | - `comm -23 2-exp-purls.txt 3-git-triv-purls.txt` shows all Maven compile/runtime 167 | dependencies that are not found when running Trivy on the cloned repository. 168 | - `comm -23 2-exp-purls.txt 6-img-syft-purls.txt` shows all Maven compile/runtime 169 | dependencies not found when running Syft on PetClinic's Docker image. 170 | 171 | But what about false-positives? Unfortunately, there are multiple reasons why a 172 | component with Maven PURL may "unexpectedly" show up in an SBOM, and it depends on 173 | the context whether or not they are considered false-positives. 174 | 175 | Cases where the SBOM generator wrongly determines the PURL namespace, name or 176 | version for an expected compile/runtime dependency, can be considered 177 | false-positives (there will also be a corresponding false-negative). Maven test 178 | dependencies that appear with a CycloneDX scope other than "excluded" are also 179 | considered false-positives. 180 | 181 | The following cases, however, exemplify true-positives that can not easily be 182 | spotted (or not at all) when considering compile/runtime dependencies in the 183 | Maven dependency tree as ground truth: 184 | 185 | - Maven PURLs for JDK libaries found in a Docker image. 186 | - Re-bundled or re-packaged archives, identified on the basis of, e.g.,metadata 187 | or code found in a Java archive. 188 | - Components belonging to application containers, some of which may correspond 189 | to system/provided dependencies of the Maven project. 190 | 191 | The following command exemplifies how to find SBOM components that are not among 192 | the expected ones: 193 | - `comm -13 2-exp-purls.txt 7-run-jbom-purls.txt` shows components of the 194 | runtime SBOM produced by jbom that are not part of the expected dependencies. 195 | 196 | The reasons to cram the whole data collection into one bash script were to 197 | support comprehensibility (by not requiring any other programs and libraries) 198 | and extensibility. 199 | -------------------------------------------------------------------------------- /bin/README.md: -------------------------------------------------------------------------------- 1 | Install SBOM generators using the following links and make sure to save them 2 | using the mentioned filenames (to match the names used in `eval-sboms.sh`): 3 | 4 | - https://github.com/eclipse/jbom/releases/ should be saved as `jbom.jar` 5 | - https://github.com/anchore/syft/releases/ should be saved as `syft` 6 | - https://github.com/aquasecurity/trivy/releases should be saved as `trivy` 7 | 8 | The CycloneDX Maven Plugin will be downloaded by Maven and does not need to be 9 | installed. 10 | 11 | Other open source SBOM generators that can be included in the future (taken from [CycloneDX Tool Center](https://cyclonedx.org/tool-center/)): 12 | - [Codenotary Community Attestation Service (CAS)](https://github.com/codenotary/cas) (requires a service account) 13 | - [Eclipse SW360 Antenna](https://www.eclipse.org/antenna) (archived in Feb 2021) 14 | - [Scan](https://github.com/ShiftLeftSecurity/sast-scan) 15 | - [Build Info](https://www.buildinfo.org/) -------------------------------------------------------------------------------- /eval-sboms.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eo pipefail 4 | 5 | repo=https://github.com/spring-petclinic/spring-petclinic-rest 6 | commit=ee236caf798dde6ead7ab0726fb1cea96ca398ae # Commit or tag to check out 7 | name=spring-petclinic-rest 8 | version=2.6.2 9 | image=springcommunity/spring-petclinic-rest:2.6.2 # Leave empty if there's no Docker image to scan 10 | jar=$name-$version.jar 11 | executable_jar=true # True if the JAR can be started with 'java -jar', false otherwise 12 | prj_path="." # Relative path from Git to folder with pom.xml 13 | 14 | # Requirements: 15 | # - Git, Maven, Java, jq, and the following SBOM generators in subdir bin/ 16 | # - https://github.com/eclipse/jbom/releases/ 17 | # - https://github.com/anchore/syft/releases/ 18 | # - https://github.com/aquasecurity/trivy/releases 19 | 20 | RED="\e[1;31m"; GREEN="\e[1;32m"; WHITE="\e[1;37m"; RESET="\e[0m" # ANSI color codes, reset with --disable-color 21 | expected_mvn_scopes=("compile" "runtime") # Scopes expected in generated SBOMs, used to determine TP, FN and recall 22 | scopes_text=$(IFS=, ; echo "${expected_mvn_scopes[*]}") 23 | 24 | function help() { 25 | printf -- "Usage: %s\n\n" "$0" 26 | printf -- "Clones a Git repo with a Maven project and runs 4 SBOM generators at\n" 27 | printf -- "4 different lifecycle stages. The Git repo and other settings can be\n" 28 | printf -- "adjusted in the header of the script.\n\n" 29 | printf -- "Flags:\n" 30 | printf -- " -h, --help Print this help text\n" 31 | printf -- " -d, --dir Directory into which the repo will be cloned\n" 32 | printf -- " --disable-color Disable ANSI colors in console output\n" 33 | printf -- " --keep-git Keep the repo's .git folder\n" 34 | printf -- " -s, --sbom Extra SBOM in CylconeDX format to evaluate,\n" 35 | printf -- " e.g., downloaded from a commercial generator\n\n" 36 | printf -- "Lifecycle Stage | CycloneDX Maven Plugin | Eclipse jbom | Syft | Trivy\n" 37 | printf -- "-------------------------- | ---------------------- | ------------ | ---- | -----\n" 38 | printf -- "After git clone with dir | x | | x | x \n" 39 | printf -- "After mvn package with JAR | | x | x | \n" 40 | printf -- "With Docker image | | | x | x \n" 41 | printf -- "At JAR runtime | | x | | \n\n" 42 | printf -- "Each SBOM generation produces 3 files:\n" 43 | printf -- "- SBOM in CycloneDX format: ---sbom.json\n" 44 | printf -- "- Text file with all PURLS: ---purls.txt\n" 45 | printf -- "- Console log: ---sbom.log\n\n" 46 | printf -- "Each SBOM is compared with the Maven project's dependencies to establish\n" 47 | printf -- "true-positive (TP) SBOM components, false-negatives (FN) and SBOM recall.\n" 48 | printf -- "${WHITE}Important${RESET}: This happens only on the basis of PURLs obtained from the JSON\n" 49 | printf -- "SBOM and PURLs constructed from Maven deps with scopes: %s\n\n" "$scopes_text" 50 | printf -- "Create a copy of this script and adjust lines 3-10 to scan other projects.\n\n" 51 | printf -- "Feedback \xF0\x9F\x91\x89 https://github.com/endorlabs/sbom-lab \n" 52 | } 53 | 54 | # Parse command line args 55 | while [[ $# -gt 0 ]]; do 56 | key="$1" 57 | case $key in 58 | --keep-git) 59 | keep_git="true" 60 | shift 61 | ;; 62 | --disable-color) 63 | RED=""; GREEN=""; WHITE=""; RESET="" 64 | shift 65 | ;; 66 | -h|--help) 67 | help 68 | exit 0 69 | ;; 70 | -d|--dir) 71 | dir="$2" 72 | shift 73 | shift 74 | ;; 75 | -s|--sbom) 76 | other_sbom="$2" 77 | shift 78 | shift 79 | ;; 80 | *) 81 | echo "Unknown option: $1" 82 | help 83 | exit 1 84 | ;; 85 | esac 86 | done 87 | 88 | # Check --dir arg 89 | if [ -z "$dir" ]; then 90 | help 91 | exit 1 92 | fi 93 | if [ -d "$dir" ]; then 94 | printf "${RED}ERROR${RESET}: Directory ${WHITE}%s${RESET} already exists\n" "$dir" 95 | exit 1 96 | fi 97 | 98 | exp_count=0 # No. expected components. Set in 2_deptree(), used to compute recall in find_purls_in_json_sbom() 99 | tgt_path="$dir/$prj_path/target" 100 | pom="$dir/$prj_path/pom.xml" 101 | 102 | # Checks whether ./bin/jbom.jar, syft and trivy exist. 103 | function check_prerequisites() { 104 | ok=true 105 | printf "Check prerequisites:" 106 | if [ ! -f "./bin/jbom.jar" ]; then 107 | printf "\n Eclipse jbom - Download JAR from ${WHITE}%s${RESET} to ${WHITE}%s${RESET}" "https://github.com/eclipse/jbom/releases" "./bin/jbom.jar" 108 | ok=false 109 | fi 110 | if [ ! -f "./bin/syft" ]; then 111 | printf "\n Syft - Download and extract binary from ${WHITE}%s${RESET} to ${WHITE}%s${RESET}" "https://github.com/anchore/syft/releases" "./bin/syft" 112 | ok=false 113 | fi 114 | if [ ! -f "./bin/trivy" ]; then 115 | printf "\n Trivy - Download and extract binary from ${WHITE}%s${RESET} to ${WHITE}%s${RESET}" "https://github.com/aquasecurity/trivy/releases" "./bin/trivy" 116 | ok=false 117 | fi 118 | if ! jq --help > /dev/null 2>&1; then 119 | printf "\n jq - Install from ${WHITE}%s${RESET}" "https://stedolan.github.io/jq/" 120 | ok=false 121 | fi 122 | if [ "$ok" == "true" ]; then 123 | printf " ${GREEN}OK${RESET}\n" 124 | else 125 | printf "\n${RED}ERROR${RESET}: One or more prerequisites are not met\n"; exit 1; 126 | fi 127 | } 128 | 129 | # Clone and checkout of Git $repo and $commit into --dir. 130 | function 1_clone() { 131 | cwd=$(pwd) 132 | printf "\n1) Clone repo ${WHITE}%s${RESET} into folder ${WHITE}%s${RESET}\n" $repo "$dir" 133 | git clone $repo "$dir" -q || { printf " ${RED}ERROR${RESET}: Cannot clone repo\n"; exit 1; } 134 | cd "$dir" || exit 135 | printf " Checkout commit ${WHITE}%s${RESET}\n" $commit 136 | git checkout $commit -q || { printf " ${RED}ERROR${RESET}: Cannot checkout commit\n"; exit 1; } 137 | if [ "$keep_git" != "true" ]; then 138 | rm -rf .git 139 | fi 140 | cd "$cwd" || exit 141 | } 142 | 143 | # Saves the raw output of "mvn dependency:tree" in "2-deptree.txt". Extracts all 144 | # dependencies with $expected_mvn_scopes and saves corresponding PURLs in 145 | # "2-exp-purls.txt" (sorted). 146 | function 2_deptree() { 147 | printf "\n2) Resolve dependencies declared in ${WHITE}%s${RESET}\n" "$pom" 148 | mvn -q dependency:tree -DoutputType=text -DoutputFile=2-deptree.txt -f "$pom" || { printf " ${RED}ERROR${RESET}: mvn dependency:tree -pl ${WHITE}%s${RESET} failed\n" "$pom"; exit 1; } 149 | mv "$dir/$prj_path/2-deptree.txt" "$dir/2-deptree.txt" 150 | 151 | # Info 152 | printf "\n Raw text output in ${WHITE}%s${RESET} contains the following deps:\n" "$dir/2-deptree.txt" 153 | all_mvn_scopes=("compile" "runtime" "provided" "system" "test") 154 | for scope in "${all_mvn_scopes[@]}"; do 155 | count=$(grep ":$scope" "$dir/2-deptree.txt" -c || test $? = 1) # test avoids exit code 1 if given scope is not found by grep 156 | printf " - ${WHITE}%3d %s${RESET}\n" "$count" "$scope" 157 | done 158 | 159 | # Write deps with expected scopes into "2-exp-purls.txt" (delete existing file beforehand). 160 | if [ -f "$dir/2-exp-purls.txt" ]; then 161 | rm "$dir/2-exp-purls.txt" 162 | fi 163 | for scope in "${expected_mvn_scopes[@]}" ; do 164 | # Make sure to catch deps with and without Maven classifier, as they have a different number of colon-separated elements, e.g., 165 | # [INFO] +- org.eclipse.steady:shared:jar:3.2.6-SNAPSHOT:compile 166 | # [INFO] +- org.eclipse.steady:shared:jar:tests:3.2.6-SNAPSHOT:test 167 | sed -n "s/^.*- \([^:]*\):\([^:]*\):[^:]*:\([^:]*\):$(echo "$scope")$/pkg:maven\/\1\/\2@\3/p" "$dir/2-deptree.txt" >> "$dir/2-exp-purls.txt" 168 | sed -n "s/^.*- \([^:]*\):\([^:]*\):[^:]*:[^:]*:\([^:]*\):$(echo "$scope")$/pkg:maven\/\1\/\2@\3/p" "$dir/2-deptree.txt" >> "$dir/2-exp-purls.txt" 169 | done 170 | sort -o "$dir/2-exp-purls.txt" "$dir/2-exp-purls.txt" 171 | 172 | # Info 173 | exp_count=$(wc -l < "$dir/2-exp-purls.txt") 174 | printf "\n SBOM true-positives (TP), false-negatives (FN) and recall will be computed for deps with scope(s): ${WHITE}%s${RESET}\n" "$scopes_text" 175 | printf " ${WHITE}%s${RESET} - ${WHITE}%d${RESET} PURLs have such scope(s)\n" "$dir/2-exp-purls.txt" "$exp_count" 176 | } 177 | 178 | # Searches for all PURLs in CycloneDX SBOM $1 and writes them to $2 (sorted). 179 | # Only components with CycloneDX scopes "required" and "optional" are considered 180 | # (or without scope). Potential PURL qualifiers (?) and subpaths (#) are 181 | # removed. Also computes number of true-positives, false-negatives and recall. 182 | function find_purls_in_json_sbom() { 183 | less "$1" | jq -r 'select(.components != null) 184 | | .components[] 185 | | select(.purl != null) 186 | | select(.scope == null or .scope == "required" or .scope == "optional") 187 | | .purl 188 | | split("?")[0] | split("#")[0]' > "$2" 189 | sort -o "$2" "$2" 190 | count=$(wc -l < "$2") 191 | 192 | # TP and FN with regard to expected components 193 | tp_count=$(comm -12 "$dir/2-exp-purls.txt" "$2" | wc -l) 194 | fn_count=$(comm -23 "$dir/2-exp-purls.txt" "$2" | wc -l) 195 | recall=$(echo "$tp_count / $exp_count" | bc -l) 196 | printf " ${WHITE}%s${RESET} - Contains ${WHITE}%3d${RESET} component PURLs in SBOM ${WHITE}%s${RESET} (TP = ${GREEN}%3d${RESET}, FN = ${RED}%3d${RESET}, recall = ${WHITE}%0.2f${RESET})\n" "$2" "$count" "$1" "$tp_count" "$fn_count" "$recall" 197 | 198 | # Make sure numbers add up 199 | [ $(($tp_count+$fn_count)) == $exp_count ] || { printf " ${RED}ERROR${RESET}: ${WHITE}%d${RESET} TP + ${WHITE}%d${RESET} FN are not equal to ${WHITE}%d${RESET} expected deps\n" "$tp_count" "$fn_count" "$exp_count" ; exit 1; } 200 | } 201 | 202 | # Runs tool $1 through "eval $2". 203 | function run_sbom_generator() { 204 | printf "\n Invoke ${WHITE}%s${RESET}: " "$1" 205 | if eval "$2"; then 206 | printf "${GREEN}OK${RESET}\n" 207 | else 208 | printf "${RED}ERROR${RESET} - check log and/or reproduce with\n" 209 | fi 210 | printf " + ${WHITE}%s${RESET}\n" "$2" 211 | } 212 | 213 | # Runs CycloneDX Maven plugin, syft and trivy. Produces 3-git-$tool-sbom.json, 3-git-$tool-sbom.log, 3-git-$tool-purl.txt 214 | function 3_sbom_after_clone() { 215 | printf "\n3) Create SBOMs with directory\n" 216 | 217 | # CycloneDX 218 | run_sbom_generator "CycloneDX (cycl)" "mvn -DoutputFormat=json -DoutputDirectory=$dir -DoutputName=3-git-cycl-sbom org.cyclonedx:cyclonedx-maven-plugin:2.7.5:makeBom -f $dir/pom.xml > $dir/3-git-cycl-sbom.log 2>&1" 219 | mv ""$tgt_path"/3-git-cycl-sbom.json" "$dir" 220 | find_purls_in_json_sbom "$dir/3-git-cycl-sbom.json" "$dir/3-git-cycl-purls.txt" 221 | 222 | # jbom (disabled, since it requires JARs) 223 | # java -jar generators/jbom-1.2.1.jar --dir="$dir" --outputDir="$dir" 224 | # mv "$dir/jbom-$dir.json" "$dir/3-git-jbom-sbom.json" 225 | 226 | # Syft 227 | run_sbom_generator "Syft" "./bin/syft packages dir:$dir --file $dir/3-git-syft-sbom.json -o cyclonedx-json > $dir/3-git-syft-sbom.log 2>&1" 228 | find_purls_in_json_sbom "$dir/3-git-syft-sbom.json" "$dir/3-git-syft-purls.txt" 229 | 230 | # Trivy (offers plenty of options related to caching and connectivity, e.g., --skip-java-db-update, --offline-scan or --cache-dir) 231 | run_sbom_generator "Trivy (triv)" "./bin/trivy fs --debug --format cyclonedx --output $dir/3-git-triv-sbom.json $dir > $dir/3-git-triv-sbom.log 2>&1" 232 | find_purls_in_json_sbom "$dir/3-git-triv-sbom.json" "$dir/3-git-triv-purls.txt" 233 | } 234 | 235 | # Runs "mvn -DskipTests package -f $dir/pom.xml" and produces JAR and 4-jartf.txt 236 | function 4_package() { 237 | printf "\n4) Call 'mvn package' to create JAR\n" 238 | if [ ! -f "$tgt_path/$jar" ]; then 239 | mvn -DskipTests package -f "$pom" > "$dir/4-pkg.log" 2>&1 || { printf " ${RED}ERROR${RESET}: 'mvn package' failed\n"; exit 1; } 240 | fi 241 | jar tf "$tgt_path/$jar" > "$dir/4-jartf.txt" || { printf " ${RED}ERROR${RESET}: jar tf ${WHITE}%s${RESET} failed, check value of variable 'jar'\n" "$tgt_path/$jar"; exit 1; } 242 | count=$(grep -E "BOOT-INF/lib/.+" "$dir/4-jartf.txt" -c) 243 | 244 | printf "\n Created JAR ${WHITE}%s${RESET}\n" "$tgt_path/$jar" 245 | printf " ${WHITE}%s${RESET} - Number of files in BOOT-INF/lib = ${WHITE}%d${RESET}\n" "$dir/4-jartf.txt" "$count" 246 | } 247 | 248 | # Runs jbom and syft on target/$jar. Produces: 5-pkg-$tool-sbom.json, 5-pkg-$tool-sbom.log, 5-pkg-$tool-purls.txt 249 | function 5_sbom_after_package() { 250 | printf "\n5) Create SBOMs with JAR\n" 251 | 252 | # jbom 253 | run_sbom_generator "jbom" "java -jar ./bin//jbom.jar --file=$tgt_path/$jar --outputDir=$dir > $dir/5-pkg-jbom-sbom.log 2>&1" 254 | mv "$dir/jbom-$name-$version.json" "$dir/5-pkg-jbom-sbom.json" 255 | find_purls_in_json_sbom "$dir/5-pkg-jbom-sbom.json" "$dir/5-pkg-jbom-purls.txt" 256 | 257 | # Syft 258 | run_sbom_generator "Syft" "./bin/syft packages file:$tgt_path/$jar --file $dir/5-pkg-syft-sbom.json -o cyclonedx-json > $dir/5-pkg-syft-sbom.log 2>&1" 259 | find_purls_in_json_sbom "$dir/5-pkg-syft-sbom.json" "$dir/5-pkg-syft-purls.txt" 260 | 261 | # Trivy (disabled, because fs scans do not consider JARs, see https://aquasecurity.github.io/trivy/v0.37/docs/vulnerability/detection/language/) 262 | #./bin/trivy fs --format cyclonedx --output $dir/5-pkg-triv-sbom.json $tgt_path/$jar 263 | } 264 | 265 | # Runs syft and trivy on Docker $image. Produces: 6-img-$tool-sbom.json, 6-img-$tool-sbom.log, 6-img-$tool-purls.txt 266 | function 6_sbom_with_image() { 267 | if [ -z "$image" ]; then 268 | printf "\n6) Skip creating SBOMs with Docker image\n" 269 | else 270 | printf "\n6) Create SBOMs with Docker image ${WHITE}%s${RESET}\n" $image 271 | 272 | # Syft 273 | run_sbom_generator "Syft" "./bin/syft packages $image --file $dir/6-img-syft-sbom.json -o cyclonedx-json > $dir/6-img-syft-sbom.log 2>&1" 274 | find_purls_in_json_sbom "$dir/6-img-syft-sbom.json" "$dir/6-img-syft-purls.txt" 275 | 276 | # Trivy (--cache-dir ./bin/trivy-cache) 277 | run_sbom_generator "Trivy (triv)" "./bin/trivy image --debug --format cyclonedx --output $dir/6-img-triv-sbom.json $image > $dir/6-img-triv-sbom.log 2>&1" 278 | find_purls_in_json_sbom "$dir/6-img-triv-sbom.json" "$dir/6-img-triv-purls.txt" 279 | fi 280 | } 281 | 282 | # Runs "java -jar target/$jar" and attaches jbom to the pid. Produces: 7-run-$tool-sbom.json, 7-run-$tool-sbom.log, 7-run-$tool-purls.txt 283 | function 7_sbom_at_runtime() { 284 | if [ ! "$executable_jar" == "true" ]; then 285 | printf "\n7) Skip creating runtime SBOMs\n" 286 | else 287 | printf "\n7) Create runtime SBOMs\n" 288 | 289 | # jbom 290 | java -jar "$tgt_path/$jar" > "$dir/7-run-jbom-sbom.log" 2>&1 & 291 | pid=$! 292 | runtime_wait=10 293 | printf "\n Started executable JAR ${WHITE}%s${RESET} with pid ${WHITE}%d${RESET}, waiting %d secs before attaching jbom...\n" "$tgt_path/$jar" $pid $runtime_wait 294 | sleep $runtime_wait 295 | 296 | # Check if process runs 297 | if ps -p "$pid" > /dev/null; then 298 | java -jar ./bin/jbom.jar --pid=$pid --outputDir="$dir" > /dev/null 299 | mv "$dir/jbom-$pid.json" "$dir/7-run-jbom-sbom.json" 300 | kill $pid > /dev/null 2>&1 || { printf " ${RED}ERROR${RESET}: Unable to kill pid ${WHITE}%d${RESET}, kill manually\n" $pid; } 301 | find_purls_in_json_sbom "$dir/7-run-jbom-sbom.json" "$dir/7-run-jbom-purls.txt" 302 | else 303 | printf " ${RED}ERROR${RESET}: Failed to start JAR, see ${WHITE}%s${RESET}\n" "$dir/7-run-jbom-sbom.log" 304 | fi 305 | fi 306 | } 307 | 308 | # Computes TP, FN and recall for an SBOM provided with --sbom. 309 | function 8_sbom_arg() { 310 | if [ ! -f "$other_sbom" ]; then 311 | printf "\n8) No SBOM provided with --sbom\n" 312 | else 313 | printf "\n8) Evaluate --sbom ${WHITE}%s${RESET}\n" "$other_sbom" 314 | cp "$other_sbom" "$dir/8-arg-othr-sbom.json" 315 | find_purls_in_json_sbom "$dir/8-arg-othr-sbom.json" "$dir/8-arg-othr-purls.txt" 316 | fi 317 | } 318 | 319 | check_prerequisites 320 | 1_clone 321 | 2_deptree 322 | 3_sbom_after_clone 323 | 4_package 324 | 5_sbom_after_package 325 | 6_sbom_with_image 326 | 7_sbom_at_runtime 327 | 8_sbom_arg 328 | -------------------------------------------------------------------------------- /pet/2-deptree.txt: -------------------------------------------------------------------------------- 1 | org.springframework.samples:spring-petclinic-rest:jar:2.6.2 2 | +- org.springframework.boot:spring-boot-starter-actuator:jar:2.6.2:compile 3 | | +- org.springframework.boot:spring-boot-starter:jar:2.6.2:compile 4 | | | +- org.springframework.boot:spring-boot:jar:2.6.2:compile 5 | | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.6.2:compile 6 | | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.6.2:compile 7 | | | | +- ch.qos.logback:logback-classic:jar:1.2.9:compile 8 | | | | | \- ch.qos.logback:logback-core:jar:1.2.9:compile 9 | | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.0:compile 10 | | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.0:compile 11 | | | | \- org.slf4j:jul-to-slf4j:jar:1.7.32:compile 12 | | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile 13 | | | \- org.yaml:snakeyaml:jar:1.29:compile 14 | | +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.6.2:compile 15 | | | \- org.springframework.boot:spring-boot-actuator:jar:2.6.2:compile 16 | | \- io.micrometer:micrometer-core:jar:1.8.1:compile 17 | | +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile 18 | | \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime 19 | +- org.springframework.boot:spring-boot-starter-aop:jar:2.6.2:compile 20 | | +- org.springframework:spring-aop:jar:5.3.14:compile 21 | | | \- org.springframework:spring-beans:jar:5.3.14:compile 22 | | \- org.aspectj:aspectjweaver:jar:1.9.7:compile 23 | +- org.springframework.boot:spring-boot-starter-cache:jar:2.6.2:compile 24 | | \- org.springframework:spring-context-support:jar:5.3.14:compile 25 | | \- org.springframework:spring-context:jar:5.3.14:compile 26 | +- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.6.2:compile 27 | | +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile 28 | | +- jakarta.persistence:jakarta.persistence-api:jar:2.2.3:compile 29 | | +- org.hibernate:hibernate-core:jar:5.6.3.Final:compile 30 | | | +- org.jboss.logging:jboss-logging:jar:3.4.2.Final:compile 31 | | | +- antlr:antlr:jar:2.7.7:compile 32 | | | +- org.jboss:jandex:jar:2.2.3.Final:compile 33 | | | +- org.hibernate.common:hibernate-commons-annotations:jar:5.1.2.Final:compile 34 | | | \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.5:compile 35 | | | +- org.glassfish.jaxb:txw2:jar:2.3.5:compile 36 | | | +- com.sun.istack:istack-commons-runtime:jar:3.0.12:compile 37 | | | \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime 38 | | +- org.springframework.data:spring-data-jpa:jar:2.6.0:compile 39 | | | +- org.springframework.data:spring-data-commons:jar:2.6.0:compile 40 | | | +- org.springframework:spring-orm:jar:5.3.14:compile 41 | | | \- org.springframework:spring-tx:jar:5.3.14:compile 42 | | \- org.springframework:spring-aspects:jar:5.3.14:compile 43 | +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.6.2:compile 44 | | +- com.zaxxer:HikariCP:jar:4.0.3:compile 45 | | \- org.springframework:spring-jdbc:jar:5.3.14:compile 46 | +- org.springframework.boot:spring-boot-starter-web:jar:2.6.2:compile 47 | | +- org.springframework.boot:spring-boot-starter-json:jar:2.6.2:compile 48 | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.1:compile 49 | | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.1:compile 50 | | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.6.2:compile 51 | | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.56:compile 52 | | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.56:compile 53 | | +- org.springframework:spring-web:jar:5.3.14:compile 54 | | \- org.springframework:spring-webmvc:jar:5.3.14:compile 55 | | \- org.springframework:spring-expression:jar:5.3.14:compile 56 | +- org.springframework.boot:spring-boot-starter-security:jar:2.6.2:compile 57 | | +- org.springframework.security:spring-security-config:jar:5.6.1:compile 58 | | \- org.springframework.security:spring-security-web:jar:5.6.1:compile 59 | +- org.springframework.boot:spring-boot-starter-validation:jar:2.6.2:compile 60 | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.56:compile 61 | | \- org.hibernate.validator:hibernate-validator:jar:6.2.0.Final:compile 62 | | \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile 63 | +- org.hsqldb:hsqldb:jar:2.5.2:runtime 64 | +- mysql:mysql-connector-java:jar:8.0.27:runtime 65 | +- org.postgresql:postgresql:jar:42.3.1:runtime 66 | | \- org.checkerframework:checker-qual:jar:3.5.0:runtime 67 | +- org.springframework.data:spring-data-jdbc-core:jar:1.2.1.RELEASE:compile 68 | | \- org.springframework.retry:spring-retry:jar:1.3.1:compile 69 | | \- javax.annotation:javax.annotation-api:jar:1.3.2:compile 70 | +- org.springframework.boot:spring-boot-starter-test:jar:2.6.2:test 71 | | +- org.springframework.boot:spring-boot-test:jar:2.6.2:test 72 | | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.6.2:test 73 | | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile 74 | | | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile 75 | | +- org.assertj:assertj-core:jar:3.21.0:test 76 | | +- org.hamcrest:hamcrest:jar:2.2:test 77 | | +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test 78 | | | +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test 79 | | | | +- org.opentest4j:opentest4j:jar:1.2.0:test 80 | | | | +- org.junit.platform:junit-platform-commons:jar:1.8.2:test 81 | | | | \- org.apiguardian:apiguardian-api:jar:1.1.2:test 82 | | | +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test 83 | | | \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test 84 | | | \- org.junit.platform:junit-platform-engine:jar:1.8.2:test 85 | | +- org.mockito:mockito-junit-jupiter:jar:4.0.0:test 86 | | +- org.skyscreamer:jsonassert:jar:1.5.0:test 87 | | | \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test 88 | | +- org.springframework:spring-core:jar:5.3.14:compile 89 | | | \- org.springframework:spring-jcl:jar:5.3.14:compile 90 | | +- org.springframework:spring-test:jar:5.3.14:test 91 | | \- org.xmlunit:xmlunit-core:jar:2.8.4:test 92 | +- org.springframework.security:spring-security-test:jar:5.6.1:test 93 | | \- org.springframework.security:spring-security-core:jar:5.6.1:compile 94 | | \- org.springframework.security:spring-security-crypto:jar:5.6.1:compile 95 | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.1:compile 96 | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.1:compile 97 | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.1:compile 98 | +- com.jayway.jsonpath:json-path:jar:2.6.0:test 99 | | +- net.minidev:json-smart:jar:2.4.7:test 100 | | | \- net.minidev:accessors-smart:jar:2.4.7:test 101 | | | \- org.ow2.asm:asm:jar:9.1:test 102 | | \- org.slf4j:slf4j-api:jar:1.7.32:compile 103 | +- io.springfox:springfox-boot-starter:jar:3.0.0:compile 104 | | +- io.springfox:springfox-oas:jar:3.0.0:compile 105 | | | +- io.swagger.core.v3:swagger-annotations:jar:2.1.2:compile 106 | | | +- io.swagger.core.v3:swagger-models:jar:2.1.2:compile 107 | | | +- io.springfox:springfox-spi:jar:3.0.0:compile 108 | | | +- io.springfox:springfox-schema:jar:3.0.0:compile 109 | | | +- io.springfox:springfox-core:jar:3.0.0:compile 110 | | | +- io.springfox:springfox-spring-web:jar:3.0.0:compile 111 | | | | \- io.github.classgraph:classgraph:jar:4.8.83:compile 112 | | | +- io.springfox:springfox-spring-webmvc:jar:3.0.0:compile 113 | | | +- io.springfox:springfox-spring-webflux:jar:3.0.0:compile 114 | | | \- io.springfox:springfox-swagger-common:jar:3.0.0:compile 115 | | +- io.springfox:springfox-data-rest:jar:3.0.0:compile 116 | | +- io.springfox:springfox-bean-validators:jar:3.0.0:compile 117 | | +- io.springfox:springfox-swagger2:jar:3.0.0:compile 118 | | | +- io.swagger:swagger-annotations:jar:1.5.20:compile 119 | | | \- io.swagger:swagger-models:jar:1.5.20:compile 120 | | +- io.springfox:springfox-swagger-ui:jar:3.0.0:compile 121 | | +- com.fasterxml:classmate:jar:1.5.1:compile 122 | | +- org.springframework.plugin:spring-plugin-core:jar:2.0.0.RELEASE:compile 123 | | \- org.springframework.plugin:spring-plugin-metadata:jar:2.0.0.RELEASE:compile 124 | +- org.openapitools:jackson-databind-nullable:jar:0.2.1:compile 125 | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.1:compile 126 | +- org.mapstruct:mapstruct:jar:1.4.1.Final:compile 127 | +- org.mapstruct:mapstruct-processor:jar:1.4.1.Final:compile 128 | +- org.mockito:mockito-core:jar:4.0.0:test 129 | | +- net.bytebuddy:byte-buddy:jar:1.11.22:compile 130 | | +- net.bytebuddy:byte-buddy-agent:jar:1.11.22:test 131 | | \- org.objenesis:objenesis:jar:3.2:test 132 | \- javax.xml.bind:jaxb-api:jar:2.3.0:compile 133 | -------------------------------------------------------------------------------- /pet/2-exp-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:maven/antlr/antlr@2.7.7 2 | pkg:maven/ch.qos.logback/logback-classic@1.2.9 3 | pkg:maven/ch.qos.logback/logback-core@1.2.9 4 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1 5 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1 6 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1 7 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1 8 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1 9 | pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1 10 | pkg:maven/com.fasterxml/classmate@1.5.1 11 | pkg:maven/com.sun.activation/jakarta.activation@1.2.2 12 | pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 13 | pkg:maven/com.zaxxer/HikariCP@4.0.3 14 | pkg:maven/io.github.classgraph/classgraph@4.8.83 15 | pkg:maven/io.micrometer/micrometer-core@1.8.1 16 | pkg:maven/io.springfox/springfox-bean-validators@3.0.0 17 | pkg:maven/io.springfox/springfox-boot-starter@3.0.0 18 | pkg:maven/io.springfox/springfox-core@3.0.0 19 | pkg:maven/io.springfox/springfox-data-rest@3.0.0 20 | pkg:maven/io.springfox/springfox-oas@3.0.0 21 | pkg:maven/io.springfox/springfox-schema@3.0.0 22 | pkg:maven/io.springfox/springfox-spi@3.0.0 23 | pkg:maven/io.springfox/springfox-spring-web@3.0.0 24 | pkg:maven/io.springfox/springfox-spring-webflux@3.0.0 25 | pkg:maven/io.springfox/springfox-spring-webmvc@3.0.0 26 | pkg:maven/io.springfox/springfox-swagger-common@3.0.0 27 | pkg:maven/io.springfox/springfox-swagger-ui@3.0.0 28 | pkg:maven/io.springfox/springfox-swagger2@3.0.0 29 | pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2 30 | pkg:maven/io.swagger.core.v3/swagger-models@2.1.2 31 | pkg:maven/io.swagger/swagger-annotations@1.5.20 32 | pkg:maven/io.swagger/swagger-models@1.5.20 33 | pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2 34 | pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5 35 | pkg:maven/jakarta.persistence/jakarta.persistence-api@2.2.3 36 | pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3 37 | pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2 38 | pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3 39 | pkg:maven/javax.annotation/javax.annotation-api@1.3.2 40 | pkg:maven/javax.xml.bind/jaxb-api@2.3.0 41 | pkg:maven/mysql/mysql-connector-java@8.0.27 42 | pkg:maven/net.bytebuddy/byte-buddy@1.11.22 43 | pkg:maven/org.apache.logging.log4j/log4j-api@2.17.0 44 | pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.17.0 45 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.56 46 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@9.0.56 47 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.56 48 | pkg:maven/org.aspectj/aspectjweaver@1.9.7 49 | pkg:maven/org.checkerframework/checker-qual@3.5.0 50 | pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 51 | pkg:maven/org.glassfish.jaxb/txw2@2.3.5 52 | pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12 53 | pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final 54 | pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final 55 | pkg:maven/org.hibernate/hibernate-core@5.6.3.Final 56 | pkg:maven/org.hsqldb/hsqldb@2.5.2 57 | pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 58 | pkg:maven/org.jboss/jandex@2.2.3.Final 59 | pkg:maven/org.latencyutils/LatencyUtils@2.0.3 60 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 61 | pkg:maven/org.mapstruct/mapstruct@1.4.1.Final 62 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 63 | pkg:maven/org.postgresql/postgresql@42.3.1 64 | pkg:maven/org.slf4j/jul-to-slf4j@1.7.32 65 | pkg:maven/org.slf4j/slf4j-api@1.7.32 66 | pkg:maven/org.springframework.boot/spring-boot-actuator-autoconfigure@2.6.2 67 | pkg:maven/org.springframework.boot/spring-boot-actuator@2.6.2 68 | pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.6.2 69 | pkg:maven/org.springframework.boot/spring-boot-starter-actuator@2.6.2 70 | pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.6.2 71 | pkg:maven/org.springframework.boot/spring-boot-starter-cache@2.6.2 72 | pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@2.6.2 73 | pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@2.6.2 74 | pkg:maven/org.springframework.boot/spring-boot-starter-json@2.6.2 75 | pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.6.2 76 | pkg:maven/org.springframework.boot/spring-boot-starter-security@2.6.2 77 | pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@2.6.2 78 | pkg:maven/org.springframework.boot/spring-boot-starter-validation@2.6.2 79 | pkg:maven/org.springframework.boot/spring-boot-starter-web@2.6.2 80 | pkg:maven/org.springframework.boot/spring-boot-starter@2.6.2 81 | pkg:maven/org.springframework.boot/spring-boot@2.6.2 82 | pkg:maven/org.springframework.data/spring-data-commons@2.6.0 83 | pkg:maven/org.springframework.data/spring-data-jdbc-core@1.2.1.RELEASE 84 | pkg:maven/org.springframework.data/spring-data-jpa@2.6.0 85 | pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE 86 | pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE 87 | pkg:maven/org.springframework.retry/spring-retry@1.3.1 88 | pkg:maven/org.springframework.security/spring-security-config@5.6.1 89 | pkg:maven/org.springframework.security/spring-security-core@5.6.1 90 | pkg:maven/org.springframework.security/spring-security-crypto@5.6.1 91 | pkg:maven/org.springframework.security/spring-security-web@5.6.1 92 | pkg:maven/org.springframework/spring-aop@5.3.14 93 | pkg:maven/org.springframework/spring-aspects@5.3.14 94 | pkg:maven/org.springframework/spring-beans@5.3.14 95 | pkg:maven/org.springframework/spring-context-support@5.3.14 96 | pkg:maven/org.springframework/spring-context@5.3.14 97 | pkg:maven/org.springframework/spring-core@5.3.14 98 | pkg:maven/org.springframework/spring-expression@5.3.14 99 | pkg:maven/org.springframework/spring-jcl@5.3.14 100 | pkg:maven/org.springframework/spring-jdbc@5.3.14 101 | pkg:maven/org.springframework/spring-orm@5.3.14 102 | pkg:maven/org.springframework/spring-tx@5.3.14 103 | pkg:maven/org.springframework/spring-web@5.3.14 104 | pkg:maven/org.springframework/spring-webmvc@5.3.14 105 | pkg:maven/org.yaml/snakeyaml@1.29 106 | -------------------------------------------------------------------------------- /pet/3-git-cycl-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:maven/antlr/antlr@2.7.7 2 | pkg:maven/ch.qos.logback/logback-classic@1.2.9 3 | pkg:maven/ch.qos.logback/logback-core@1.2.9 4 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1 5 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1 6 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1 7 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1 8 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1 9 | pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1 10 | pkg:maven/com.fasterxml/classmate@1.5.1 11 | pkg:maven/com.sun.activation/jakarta.activation@1.2.2 12 | pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 13 | pkg:maven/com.zaxxer/HikariCP@4.0.3 14 | pkg:maven/io.github.classgraph/classgraph@4.8.83 15 | pkg:maven/io.micrometer/micrometer-core@1.8.1 16 | pkg:maven/io.springfox/springfox-bean-validators@3.0.0 17 | pkg:maven/io.springfox/springfox-boot-starter@3.0.0 18 | pkg:maven/io.springfox/springfox-core@3.0.0 19 | pkg:maven/io.springfox/springfox-data-rest@3.0.0 20 | pkg:maven/io.springfox/springfox-oas@3.0.0 21 | pkg:maven/io.springfox/springfox-schema@3.0.0 22 | pkg:maven/io.springfox/springfox-spi@3.0.0 23 | pkg:maven/io.springfox/springfox-spring-web@3.0.0 24 | pkg:maven/io.springfox/springfox-spring-webflux@3.0.0 25 | pkg:maven/io.springfox/springfox-spring-webmvc@3.0.0 26 | pkg:maven/io.springfox/springfox-swagger-common@3.0.0 27 | pkg:maven/io.springfox/springfox-swagger-ui@3.0.0 28 | pkg:maven/io.springfox/springfox-swagger2@3.0.0 29 | pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2 30 | pkg:maven/io.swagger.core.v3/swagger-models@2.1.2 31 | pkg:maven/io.swagger/swagger-annotations@1.5.20 32 | pkg:maven/io.swagger/swagger-models@1.5.20 33 | pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2 34 | pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5 35 | pkg:maven/jakarta.persistence/jakarta.persistence-api@2.2.3 36 | pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3 37 | pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2 38 | pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3 39 | pkg:maven/javax.annotation/javax.annotation-api@1.3.2 40 | pkg:maven/javax.xml.bind/jaxb-api@2.3.0 41 | pkg:maven/mysql/mysql-connector-java@8.0.27 42 | pkg:maven/net.bytebuddy/byte-buddy@1.11.22 43 | pkg:maven/org.apache.logging.log4j/log4j-api@2.17.0 44 | pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.17.0 45 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.56 46 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@9.0.56 47 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.56 48 | pkg:maven/org.aspectj/aspectjweaver@1.9.7 49 | pkg:maven/org.checkerframework/checker-qual@3.5.0 50 | pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 51 | pkg:maven/org.glassfish.jaxb/txw2@2.3.5 52 | pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12 53 | pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final 54 | pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final 55 | pkg:maven/org.hibernate/hibernate-core@5.6.3.Final 56 | pkg:maven/org.hsqldb/hsqldb@2.5.2 57 | pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 58 | pkg:maven/org.jboss/jandex@2.2.3.Final 59 | pkg:maven/org.latencyutils/LatencyUtils@2.0.3 60 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 61 | pkg:maven/org.mapstruct/mapstruct@1.4.1.Final 62 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 63 | pkg:maven/org.postgresql/postgresql@42.3.1 64 | pkg:maven/org.slf4j/jul-to-slf4j@1.7.32 65 | pkg:maven/org.slf4j/slf4j-api@1.7.32 66 | pkg:maven/org.springframework.boot/spring-boot-actuator-autoconfigure@2.6.2 67 | pkg:maven/org.springframework.boot/spring-boot-actuator@2.6.2 68 | pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.6.2 69 | pkg:maven/org.springframework.boot/spring-boot-starter-actuator@2.6.2 70 | pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.6.2 71 | pkg:maven/org.springframework.boot/spring-boot-starter-cache@2.6.2 72 | pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@2.6.2 73 | pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@2.6.2 74 | pkg:maven/org.springframework.boot/spring-boot-starter-json@2.6.2 75 | pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.6.2 76 | pkg:maven/org.springframework.boot/spring-boot-starter-security@2.6.2 77 | pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@2.6.2 78 | pkg:maven/org.springframework.boot/spring-boot-starter-validation@2.6.2 79 | pkg:maven/org.springframework.boot/spring-boot-starter-web@2.6.2 80 | pkg:maven/org.springframework.boot/spring-boot-starter@2.6.2 81 | pkg:maven/org.springframework.boot/spring-boot@2.6.2 82 | pkg:maven/org.springframework.data/spring-data-commons@2.6.0 83 | pkg:maven/org.springframework.data/spring-data-jdbc-core@1.2.1.RELEASE 84 | pkg:maven/org.springframework.data/spring-data-jpa@2.6.0 85 | pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE 86 | pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE 87 | pkg:maven/org.springframework.retry/spring-retry@1.3.1 88 | pkg:maven/org.springframework.security/spring-security-config@5.6.1 89 | pkg:maven/org.springframework.security/spring-security-core@5.6.1 90 | pkg:maven/org.springframework.security/spring-security-crypto@5.6.1 91 | pkg:maven/org.springframework.security/spring-security-web@5.6.1 92 | pkg:maven/org.springframework/spring-aop@5.3.14 93 | pkg:maven/org.springframework/spring-aspects@5.3.14 94 | pkg:maven/org.springframework/spring-beans@5.3.14 95 | pkg:maven/org.springframework/spring-context-support@5.3.14 96 | pkg:maven/org.springframework/spring-context@5.3.14 97 | pkg:maven/org.springframework/spring-core@5.3.14 98 | pkg:maven/org.springframework/spring-expression@5.3.14 99 | pkg:maven/org.springframework/spring-jcl@5.3.14 100 | pkg:maven/org.springframework/spring-jdbc@5.3.14 101 | pkg:maven/org.springframework/spring-orm@5.3.14 102 | pkg:maven/org.springframework/spring-tx@5.3.14 103 | pkg:maven/org.springframework/spring-web@5.3.14 104 | pkg:maven/org.springframework/spring-webmvc@5.3.14 105 | pkg:maven/org.yaml/snakeyaml@1.29 106 | -------------------------------------------------------------------------------- /pet/3-git-cycl-sbom.log: -------------------------------------------------------------------------------- 1 | [INFO] Scanning for projects... 2 | [INFO] 3 | [INFO] ---------< org.springframework.samples:spring-petclinic-rest >---------- 4 | [INFO] Building spring-petclinic-rest 2.6.2 5 | [INFO] --------------------------------[ jar ]--------------------------------- 6 | [INFO] 7 | [INFO] --- cyclonedx-maven-plugin:2.7.5:makeBom (default-cli) @ spring-petclinic-rest --- 8 | [INFO] CycloneDX: Parameters 9 | [INFO] ------------------------------------------------------------------------ 10 | [INFO] schemaVersion : 1.4 11 | [INFO] includeBomSerialNumber : true 12 | [INFO] includeCompileScope : true 13 | [INFO] includeProvidedScope : true 14 | [INFO] includeRuntimeScope : true 15 | [INFO] includeTestScope : false 16 | [INFO] includeSystemScope : true 17 | [INFO] includeLicenseText : false 18 | [INFO] outputFormat : json 19 | [INFO] outputName : 3-git-cycl-sbom 20 | [INFO] ------------------------------------------------------------------------ 21 | [INFO] CycloneDX: Resolving Dependencies 22 | [INFO] CycloneDX: Creating BOM 23 | [INFO] CycloneDX: Writing BOM (JSON): /pet/target/3-git-cycl-sbom.json 24 | [INFO] CycloneDX: Validating BOM (JSON): /pet/target/3-git-cycl-sbom.json 25 | [WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword 26 | [INFO] ------------------------------------------------------------------------ 27 | [INFO] BUILD SUCCESS 28 | [INFO] ------------------------------------------------------------------------ 29 | [INFO] Total time: 2.095 s 30 | [INFO] Finished at: 2023-02-27T09:38:17+01:00 31 | [INFO] ------------------------------------------------------------------------ 32 | -------------------------------------------------------------------------------- /pet/3-git-syft-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:maven/com.fasterxml.jackson.core/jackson-core 2 | pkg:maven/com.fasterxml.jackson.core/jackson-databind 3 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310 4 | pkg:maven/com.jayway.jsonpath/json-path 5 | pkg:maven/io.springfox/springfox-boot-starter@3.0.0 6 | pkg:maven/io.takari/maven-wrapper@0.5.6 7 | pkg:maven/jaxb-api/jaxb-api@2.3.0 8 | pkg:maven/mysql-connector-java/mysql-connector-java 9 | pkg:maven/org.hsqldb/hsqldb 10 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 11 | pkg:maven/org.mapstruct/mapstruct@1.4.1.Final 12 | pkg:maven/org.mockito/mockito-core 13 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 14 | pkg:maven/org.postgresql/postgresql 15 | pkg:maven/org.springframework.boot/spring-boot-starter-actuator 16 | pkg:maven/org.springframework.boot/spring-boot-starter-aop 17 | pkg:maven/org.springframework.boot/spring-boot-starter-cache 18 | pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa 19 | pkg:maven/org.springframework.boot/spring-boot-starter-jdbc 20 | pkg:maven/org.springframework.boot/spring-boot-starter-security 21 | pkg:maven/org.springframework.boot/spring-boot-starter-test 22 | pkg:maven/org.springframework.boot/spring-boot-starter-validation 23 | pkg:maven/org.springframework.boot/spring-boot-starter-web 24 | pkg:maven/org.springframework.data/spring-data-jdbc-core@1.2.1.RELEASE 25 | pkg:maven/org.springframework.security/spring-security-test 26 | -------------------------------------------------------------------------------- /pet/3-git-syft-sbom.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endorlabs/sbom-lab/70b92c4f081aecc0eb41267a53ac85b829bf86da/pet/3-git-syft-sbom.log -------------------------------------------------------------------------------- /pet/3-git-triv-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:maven/antlr/antlr@2.7.7 2 | pkg:maven/ch.qos.logback/logback-classic@1.2.9 3 | pkg:maven/ch.qos.logback/logback-core@1.2.9 4 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1 5 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1 6 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1 7 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1 8 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1 9 | pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1 10 | pkg:maven/com.fasterxml/classmate@1.5.1 11 | pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 12 | pkg:maven/com.zaxxer/HikariCP@4.0.3 13 | pkg:maven/io.github.classgraph/classgraph@4.8.83 14 | pkg:maven/io.micrometer/micrometer-core@1.8.1 15 | pkg:maven/io.springfox/springfox-bean-validators@3.0.0 16 | pkg:maven/io.springfox/springfox-boot-starter@3.0.0 17 | pkg:maven/io.springfox/springfox-core@3.0.0 18 | pkg:maven/io.springfox/springfox-data-rest@3.0.0 19 | pkg:maven/io.springfox/springfox-oas@3.0.0 20 | pkg:maven/io.springfox/springfox-schema@3.0.0 21 | pkg:maven/io.springfox/springfox-spi@3.0.0 22 | pkg:maven/io.springfox/springfox-spring-web@3.0.0 23 | pkg:maven/io.springfox/springfox-spring-webflux@3.0.0 24 | pkg:maven/io.springfox/springfox-spring-webmvc@3.0.0 25 | pkg:maven/io.springfox/springfox-swagger-common@3.0.0 26 | pkg:maven/io.springfox/springfox-swagger-ui@3.0.0 27 | pkg:maven/io.springfox/springfox-swagger2@3.0.0 28 | pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2 29 | pkg:maven/io.swagger.core.v3/swagger-models@2.1.2 30 | pkg:maven/io.swagger/swagger-annotations@1.5.20 31 | pkg:maven/io.swagger/swagger-models@1.5.20 32 | pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2 33 | pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5 34 | pkg:maven/jakarta.persistence/jakarta.persistence-api@2.2.3 35 | pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3 36 | pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2 37 | pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3 38 | pkg:maven/javax.xml.bind/jaxb-api@2.3.0 39 | pkg:maven/net.bytebuddy/byte-buddy@1.11.22 40 | pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@23 41 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.56 42 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@9.0.56 43 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.56 44 | pkg:maven/org.aspectj/aspectjweaver@1.9.7 45 | pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 46 | pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12 47 | pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final 48 | pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final 49 | pkg:maven/org.hibernate/hibernate-core@5.6.3.Final 50 | pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 51 | pkg:maven/org.jboss/jandex@2.2.3.Final 52 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 53 | pkg:maven/org.mapstruct/mapstruct@1.4.1.Final 54 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 55 | pkg:maven/org.slf4j/jul-to-slf4j@1.7.32 56 | pkg:maven/org.slf4j/slf4j-api@1.7.32 57 | pkg:maven/org.springframework.boot/spring-boot-actuator-autoconfigure@2.6.2 58 | pkg:maven/org.springframework.boot/spring-boot-actuator@2.6.2 59 | pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.6.2 60 | pkg:maven/org.springframework.boot/spring-boot-starter-actuator@2.6.2 61 | pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.6.2 62 | pkg:maven/org.springframework.boot/spring-boot-starter-cache@2.6.2 63 | pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@2.6.2 64 | pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@2.6.2 65 | pkg:maven/org.springframework.boot/spring-boot-starter-json@2.6.2 66 | pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.6.2 67 | pkg:maven/org.springframework.boot/spring-boot-starter-security@2.6.2 68 | pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@2.6.2 69 | pkg:maven/org.springframework.boot/spring-boot-starter-validation@2.6.2 70 | pkg:maven/org.springframework.boot/spring-boot-starter-web@2.6.2 71 | pkg:maven/org.springframework.boot/spring-boot-starter@2.6.2 72 | pkg:maven/org.springframework.boot/spring-boot@2.6.2 73 | pkg:maven/org.springframework.data.build/spring-data-commons@2.6.0 74 | pkg:maven/org.springframework.data/spring-data-jdbc-core@1.2.1.RELEASE 75 | pkg:maven/org.springframework.data/spring-data-jpa@2.6.0 76 | pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE 77 | pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE 78 | pkg:maven/org.springframework.retry/spring-retry@1.3.1 79 | pkg:maven/org.springframework.samples/spring-petclinic-rest@2.6.2 80 | pkg:maven/org.springframework.security/spring-security-config@5.6.1 81 | pkg:maven/org.springframework.security/spring-security-core@5.6.1 82 | pkg:maven/org.springframework.security/spring-security-crypto@5.6.1 83 | pkg:maven/org.springframework.security/spring-security-web@5.6.1 84 | pkg:maven/org.springframework/spring-aop@5.3.14 85 | pkg:maven/org.springframework/spring-aspects@5.3.14 86 | pkg:maven/org.springframework/spring-beans@5.3.14 87 | pkg:maven/org.springframework/spring-context-support@5.3.14 88 | pkg:maven/org.springframework/spring-context@5.3.14 89 | pkg:maven/org.springframework/spring-core@5.3.14 90 | pkg:maven/org.springframework/spring-expression@5.3.14 91 | pkg:maven/org.springframework/spring-jcl@5.3.14 92 | pkg:maven/org.springframework/spring-jdbc@5.3.14 93 | pkg:maven/org.springframework/spring-orm@5.3.14 94 | pkg:maven/org.springframework/spring-tx@5.3.14 95 | pkg:maven/org.springframework/spring-web@5.3.14 96 | pkg:maven/org.springframework/spring-webmvc@5.3.14 97 | pkg:maven/org.yaml/snakeyaml@1.29 98 | -------------------------------------------------------------------------------- /pet/3-git-triv-sbom.json: -------------------------------------------------------------------------------- 1 | { 2 | "bomFormat": "CycloneDX", 3 | "specVersion": "1.4", 4 | "serialNumber": "urn:uuid:905bff04-20cb-4eaf-ac2f-92f98660b484", 5 | "version": 1, 6 | "metadata": { 7 | "timestamp": "2023-02-27T08:38:20+00:00", 8 | "tools": [ 9 | { 10 | "vendor": "aquasecurity", 11 | "name": "trivy", 12 | "version": "0.37.3" 13 | } 14 | ], 15 | "component": { 16 | "bom-ref": "e053d629-ee7d-4417-bea6-6c7e165cc943", 17 | "type": "application", 18 | "name": "pet", 19 | "properties": [ 20 | { 21 | "name": "aquasecurity:trivy:SchemaVersion", 22 | "value": "2" 23 | } 24 | ] 25 | } 26 | }, 27 | "components": [ 28 | { 29 | "bom-ref": "pkg:maven/antlr/antlr@2.7.7", 30 | "type": "library", 31 | "name": "antlr:antlr", 32 | "version": "2.7.7", 33 | "purl": "pkg:maven/antlr/antlr@2.7.7", 34 | "properties": [ 35 | { 36 | "name": "aquasecurity:trivy:PkgType", 37 | "value": "pom" 38 | } 39 | ] 40 | }, 41 | { 42 | "bom-ref": "pkg:maven/ch.qos.logback/logback-classic@1.2.9", 43 | "type": "library", 44 | "name": "ch.qos.logback:logback-classic", 45 | "version": "1.2.9", 46 | "purl": "pkg:maven/ch.qos.logback/logback-classic@1.2.9", 47 | "properties": [ 48 | { 49 | "name": "aquasecurity:trivy:PkgType", 50 | "value": "pom" 51 | } 52 | ] 53 | }, 54 | { 55 | "bom-ref": "pkg:maven/ch.qos.logback/logback-core@1.2.9", 56 | "type": "library", 57 | "name": "ch.qos.logback:logback-core", 58 | "version": "1.2.9", 59 | "purl": "pkg:maven/ch.qos.logback/logback-core@1.2.9", 60 | "properties": [ 61 | { 62 | "name": "aquasecurity:trivy:PkgType", 63 | "value": "pom" 64 | } 65 | ] 66 | }, 67 | { 68 | "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1", 69 | "type": "library", 70 | "name": "com.fasterxml.jackson.core:jackson-annotations", 71 | "version": "2.13.1", 72 | "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1", 73 | "properties": [ 74 | { 75 | "name": "aquasecurity:trivy:PkgType", 76 | "value": "pom" 77 | } 78 | ] 79 | }, 80 | { 81 | "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1", 82 | "type": "library", 83 | "name": "com.fasterxml.jackson.core:jackson-core", 84 | "version": "2.13.1", 85 | "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1", 86 | "properties": [ 87 | { 88 | "name": "aquasecurity:trivy:PkgType", 89 | "value": "pom" 90 | } 91 | ] 92 | }, 93 | { 94 | "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", 95 | "type": "library", 96 | "name": "com.fasterxml.jackson.core:jackson-databind", 97 | "version": "2.13.1", 98 | "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", 99 | "properties": [ 100 | { 101 | "name": "aquasecurity:trivy:PkgType", 102 | "value": "pom" 103 | } 104 | ] 105 | }, 106 | { 107 | "bom-ref": "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1", 108 | "type": "library", 109 | "name": "com.fasterxml.jackson.datatype:jackson-datatype-jdk8", 110 | "version": "2.13.1", 111 | "purl": "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1", 112 | "properties": [ 113 | { 114 | "name": "aquasecurity:trivy:PkgType", 115 | "value": "pom" 116 | } 117 | ] 118 | }, 119 | { 120 | "bom-ref": "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1", 121 | "type": "library", 122 | "name": "com.fasterxml.jackson.datatype:jackson-datatype-jsr310", 123 | "version": "2.13.1", 124 | "purl": "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1", 125 | "properties": [ 126 | { 127 | "name": "aquasecurity:trivy:PkgType", 128 | "value": "pom" 129 | } 130 | ] 131 | }, 132 | { 133 | "bom-ref": "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1", 134 | "type": "library", 135 | "name": "com.fasterxml.jackson.module:jackson-module-parameter-names", 136 | "version": "2.13.1", 137 | "purl": "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1", 138 | "properties": [ 139 | { 140 | "name": "aquasecurity:trivy:PkgType", 141 | "value": "pom" 142 | } 143 | ] 144 | }, 145 | { 146 | "bom-ref": "pkg:maven/com.fasterxml/classmate@1.5.1", 147 | "type": "library", 148 | "name": "com.fasterxml:classmate", 149 | "version": "1.5.1", 150 | "purl": "pkg:maven/com.fasterxml/classmate@1.5.1", 151 | "properties": [ 152 | { 153 | "name": "aquasecurity:trivy:PkgType", 154 | "value": "pom" 155 | } 156 | ] 157 | }, 158 | { 159 | "bom-ref": "pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12", 160 | "type": "library", 161 | "name": "com.sun.istack:istack-commons-runtime", 162 | "version": "3.0.12", 163 | "purl": "pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12", 164 | "properties": [ 165 | { 166 | "name": "aquasecurity:trivy:PkgType", 167 | "value": "pom" 168 | } 169 | ] 170 | }, 171 | { 172 | "bom-ref": "pkg:maven/com.zaxxer/HikariCP@4.0.3", 173 | "type": "library", 174 | "name": "com.zaxxer:HikariCP", 175 | "version": "4.0.3", 176 | "purl": "pkg:maven/com.zaxxer/HikariCP@4.0.3", 177 | "properties": [ 178 | { 179 | "name": "aquasecurity:trivy:PkgType", 180 | "value": "pom" 181 | } 182 | ] 183 | }, 184 | { 185 | "bom-ref": "pkg:maven/io.github.classgraph/classgraph@4.8.83", 186 | "type": "library", 187 | "name": "io.github.classgraph:classgraph", 188 | "version": "4.8.83", 189 | "purl": "pkg:maven/io.github.classgraph/classgraph@4.8.83", 190 | "properties": [ 191 | { 192 | "name": "aquasecurity:trivy:PkgType", 193 | "value": "pom" 194 | } 195 | ] 196 | }, 197 | { 198 | "bom-ref": "pkg:maven/io.micrometer/micrometer-core@1.8.1", 199 | "type": "library", 200 | "name": "io.micrometer:micrometer-core", 201 | "version": "1.8.1", 202 | "purl": "pkg:maven/io.micrometer/micrometer-core@1.8.1", 203 | "properties": [ 204 | { 205 | "name": "aquasecurity:trivy:PkgType", 206 | "value": "pom" 207 | } 208 | ] 209 | }, 210 | { 211 | "bom-ref": "pkg:maven/io.springfox/springfox-bean-validators@3.0.0", 212 | "type": "library", 213 | "name": "io.springfox:springfox-bean-validators", 214 | "version": "3.0.0", 215 | "purl": "pkg:maven/io.springfox/springfox-bean-validators@3.0.0", 216 | "properties": [ 217 | { 218 | "name": "aquasecurity:trivy:PkgType", 219 | "value": "pom" 220 | } 221 | ] 222 | }, 223 | { 224 | "bom-ref": "pkg:maven/io.springfox/springfox-boot-starter@3.0.0", 225 | "type": "library", 226 | "name": "io.springfox:springfox-boot-starter", 227 | "version": "3.0.0", 228 | "purl": "pkg:maven/io.springfox/springfox-boot-starter@3.0.0", 229 | "properties": [ 230 | { 231 | "name": "aquasecurity:trivy:PkgType", 232 | "value": "pom" 233 | } 234 | ] 235 | }, 236 | { 237 | "bom-ref": "pkg:maven/io.springfox/springfox-core@3.0.0", 238 | "type": "library", 239 | "name": "io.springfox:springfox-core", 240 | "version": "3.0.0", 241 | "purl": "pkg:maven/io.springfox/springfox-core@3.0.0", 242 | "properties": [ 243 | { 244 | "name": "aquasecurity:trivy:PkgType", 245 | "value": "pom" 246 | } 247 | ] 248 | }, 249 | { 250 | "bom-ref": "pkg:maven/io.springfox/springfox-data-rest@3.0.0", 251 | "type": "library", 252 | "name": "io.springfox:springfox-data-rest", 253 | "version": "3.0.0", 254 | "purl": "pkg:maven/io.springfox/springfox-data-rest@3.0.0", 255 | "properties": [ 256 | { 257 | "name": "aquasecurity:trivy:PkgType", 258 | "value": "pom" 259 | } 260 | ] 261 | }, 262 | { 263 | "bom-ref": "pkg:maven/io.springfox/springfox-oas@3.0.0", 264 | "type": "library", 265 | "name": "io.springfox:springfox-oas", 266 | "version": "3.0.0", 267 | "purl": "pkg:maven/io.springfox/springfox-oas@3.0.0", 268 | "properties": [ 269 | { 270 | "name": "aquasecurity:trivy:PkgType", 271 | "value": "pom" 272 | } 273 | ] 274 | }, 275 | { 276 | "bom-ref": "pkg:maven/io.springfox/springfox-schema@3.0.0", 277 | "type": "library", 278 | "name": "io.springfox:springfox-schema", 279 | "version": "3.0.0", 280 | "purl": "pkg:maven/io.springfox/springfox-schema@3.0.0", 281 | "properties": [ 282 | { 283 | "name": "aquasecurity:trivy:PkgType", 284 | "value": "pom" 285 | } 286 | ] 287 | }, 288 | { 289 | "bom-ref": "pkg:maven/io.springfox/springfox-spi@3.0.0", 290 | "type": "library", 291 | "name": "io.springfox:springfox-spi", 292 | "version": "3.0.0", 293 | "purl": "pkg:maven/io.springfox/springfox-spi@3.0.0", 294 | "properties": [ 295 | { 296 | "name": "aquasecurity:trivy:PkgType", 297 | "value": "pom" 298 | } 299 | ] 300 | }, 301 | { 302 | "bom-ref": "pkg:maven/io.springfox/springfox-spring-web@3.0.0", 303 | "type": "library", 304 | "name": "io.springfox:springfox-spring-web", 305 | "version": "3.0.0", 306 | "purl": "pkg:maven/io.springfox/springfox-spring-web@3.0.0", 307 | "properties": [ 308 | { 309 | "name": "aquasecurity:trivy:PkgType", 310 | "value": "pom" 311 | } 312 | ] 313 | }, 314 | { 315 | "bom-ref": "pkg:maven/io.springfox/springfox-spring-webflux@3.0.0", 316 | "type": "library", 317 | "name": "io.springfox:springfox-spring-webflux", 318 | "version": "3.0.0", 319 | "purl": "pkg:maven/io.springfox/springfox-spring-webflux@3.0.0", 320 | "properties": [ 321 | { 322 | "name": "aquasecurity:trivy:PkgType", 323 | "value": "pom" 324 | } 325 | ] 326 | }, 327 | { 328 | "bom-ref": "pkg:maven/io.springfox/springfox-spring-webmvc@3.0.0", 329 | "type": "library", 330 | "name": "io.springfox:springfox-spring-webmvc", 331 | "version": "3.0.0", 332 | "purl": "pkg:maven/io.springfox/springfox-spring-webmvc@3.0.0", 333 | "properties": [ 334 | { 335 | "name": "aquasecurity:trivy:PkgType", 336 | "value": "pom" 337 | } 338 | ] 339 | }, 340 | { 341 | "bom-ref": "pkg:maven/io.springfox/springfox-swagger-common@3.0.0", 342 | "type": "library", 343 | "name": "io.springfox:springfox-swagger-common", 344 | "version": "3.0.0", 345 | "purl": "pkg:maven/io.springfox/springfox-swagger-common@3.0.0", 346 | "properties": [ 347 | { 348 | "name": "aquasecurity:trivy:PkgType", 349 | "value": "pom" 350 | } 351 | ] 352 | }, 353 | { 354 | "bom-ref": "pkg:maven/io.springfox/springfox-swagger-ui@3.0.0", 355 | "type": "library", 356 | "name": "io.springfox:springfox-swagger-ui", 357 | "version": "3.0.0", 358 | "purl": "pkg:maven/io.springfox/springfox-swagger-ui@3.0.0", 359 | "properties": [ 360 | { 361 | "name": "aquasecurity:trivy:PkgType", 362 | "value": "pom" 363 | } 364 | ] 365 | }, 366 | { 367 | "bom-ref": "pkg:maven/io.springfox/springfox-swagger2@3.0.0", 368 | "type": "library", 369 | "name": "io.springfox:springfox-swagger2", 370 | "version": "3.0.0", 371 | "purl": "pkg:maven/io.springfox/springfox-swagger2@3.0.0", 372 | "properties": [ 373 | { 374 | "name": "aquasecurity:trivy:PkgType", 375 | "value": "pom" 376 | } 377 | ] 378 | }, 379 | { 380 | "bom-ref": "pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2", 381 | "type": "library", 382 | "name": "io.swagger.core.v3:swagger-annotations", 383 | "version": "2.1.2", 384 | "purl": "pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2", 385 | "properties": [ 386 | { 387 | "name": "aquasecurity:trivy:PkgType", 388 | "value": "pom" 389 | } 390 | ] 391 | }, 392 | { 393 | "bom-ref": "pkg:maven/io.swagger.core.v3/swagger-models@2.1.2", 394 | "type": "library", 395 | "name": "io.swagger.core.v3:swagger-models", 396 | "version": "2.1.2", 397 | "purl": "pkg:maven/io.swagger.core.v3/swagger-models@2.1.2", 398 | "properties": [ 399 | { 400 | "name": "aquasecurity:trivy:PkgType", 401 | "value": "pom" 402 | } 403 | ] 404 | }, 405 | { 406 | "bom-ref": "pkg:maven/io.swagger/swagger-annotations@1.5.20", 407 | "type": "library", 408 | "name": "io.swagger:swagger-annotations", 409 | "version": "1.5.20", 410 | "purl": "pkg:maven/io.swagger/swagger-annotations@1.5.20", 411 | "properties": [ 412 | { 413 | "name": "aquasecurity:trivy:PkgType", 414 | "value": "pom" 415 | } 416 | ] 417 | }, 418 | { 419 | "bom-ref": "pkg:maven/io.swagger/swagger-models@1.5.20", 420 | "type": "library", 421 | "name": "io.swagger:swagger-models", 422 | "version": "1.5.20", 423 | "purl": "pkg:maven/io.swagger/swagger-models@1.5.20", 424 | "properties": [ 425 | { 426 | "name": "aquasecurity:trivy:PkgType", 427 | "value": "pom" 428 | } 429 | ] 430 | }, 431 | { 432 | "bom-ref": "pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2", 433 | "type": "library", 434 | "name": "jakarta.activation:jakarta.activation-api", 435 | "version": "1.2.2", 436 | "purl": "pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2", 437 | "properties": [ 438 | { 439 | "name": "aquasecurity:trivy:PkgType", 440 | "value": "pom" 441 | } 442 | ] 443 | }, 444 | { 445 | "bom-ref": "pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5", 446 | "type": "library", 447 | "name": "jakarta.annotation:jakarta.annotation-api", 448 | "version": "1.3.5", 449 | "purl": "pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5", 450 | "properties": [ 451 | { 452 | "name": "aquasecurity:trivy:PkgType", 453 | "value": "pom" 454 | } 455 | ] 456 | }, 457 | { 458 | "bom-ref": "pkg:maven/jakarta.persistence/jakarta.persistence-api@2.2.3", 459 | "type": "library", 460 | "name": "jakarta.persistence:jakarta.persistence-api", 461 | "version": "2.2.3", 462 | "purl": "pkg:maven/jakarta.persistence/jakarta.persistence-api@2.2.3", 463 | "properties": [ 464 | { 465 | "name": "aquasecurity:trivy:PkgType", 466 | "value": "pom" 467 | } 468 | ] 469 | }, 470 | { 471 | "bom-ref": "pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3", 472 | "type": "library", 473 | "name": "jakarta.transaction:jakarta.transaction-api", 474 | "version": "1.3.3", 475 | "purl": "pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3", 476 | "properties": [ 477 | { 478 | "name": "aquasecurity:trivy:PkgType", 479 | "value": "pom" 480 | } 481 | ] 482 | }, 483 | { 484 | "bom-ref": "pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2", 485 | "type": "library", 486 | "name": "jakarta.validation:jakarta.validation-api", 487 | "version": "2.0.2", 488 | "purl": "pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2", 489 | "properties": [ 490 | { 491 | "name": "aquasecurity:trivy:PkgType", 492 | "value": "pom" 493 | } 494 | ] 495 | }, 496 | { 497 | "bom-ref": "pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3", 498 | "type": "library", 499 | "name": "jakarta.xml.bind:jakarta.xml.bind-api", 500 | "version": "2.3.3", 501 | "purl": "pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3", 502 | "properties": [ 503 | { 504 | "name": "aquasecurity:trivy:PkgType", 505 | "value": "pom" 506 | } 507 | ] 508 | }, 509 | { 510 | "bom-ref": "pkg:maven/javax.xml.bind/jaxb-api@2.3.0", 511 | "type": "library", 512 | "name": "javax.xml.bind:jaxb-api", 513 | "version": "2.3.0", 514 | "purl": "pkg:maven/javax.xml.bind/jaxb-api@2.3.0", 515 | "properties": [ 516 | { 517 | "name": "aquasecurity:trivy:PkgType", 518 | "value": "pom" 519 | } 520 | ] 521 | }, 522 | { 523 | "bom-ref": "pkg:maven/net.bytebuddy/byte-buddy@1.11.22", 524 | "type": "library", 525 | "name": "net.bytebuddy:byte-buddy", 526 | "version": "1.11.22", 527 | "purl": "pkg:maven/net.bytebuddy/byte-buddy@1.11.22", 528 | "properties": [ 529 | { 530 | "name": "aquasecurity:trivy:PkgType", 531 | "value": "pom" 532 | } 533 | ] 534 | }, 535 | { 536 | "bom-ref": "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@23", 537 | "type": "library", 538 | "name": "org.apache.logging.log4j:log4j-to-slf4j", 539 | "version": "23", 540 | "purl": "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@23", 541 | "properties": [ 542 | { 543 | "name": "aquasecurity:trivy:PkgType", 544 | "value": "pom" 545 | } 546 | ] 547 | }, 548 | { 549 | "bom-ref": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.56", 550 | "type": "library", 551 | "name": "org.apache.tomcat.embed:tomcat-embed-core", 552 | "version": "9.0.56", 553 | "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.56", 554 | "properties": [ 555 | { 556 | "name": "aquasecurity:trivy:PkgType", 557 | "value": "pom" 558 | } 559 | ] 560 | }, 561 | { 562 | "bom-ref": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@9.0.56", 563 | "type": "library", 564 | "name": "org.apache.tomcat.embed:tomcat-embed-el", 565 | "version": "9.0.56", 566 | "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@9.0.56", 567 | "properties": [ 568 | { 569 | "name": "aquasecurity:trivy:PkgType", 570 | "value": "pom" 571 | } 572 | ] 573 | }, 574 | { 575 | "bom-ref": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.56", 576 | "type": "library", 577 | "name": "org.apache.tomcat.embed:tomcat-embed-websocket", 578 | "version": "9.0.56", 579 | "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.56", 580 | "properties": [ 581 | { 582 | "name": "aquasecurity:trivy:PkgType", 583 | "value": "pom" 584 | } 585 | ] 586 | }, 587 | { 588 | "bom-ref": "pkg:maven/org.aspectj/aspectjweaver@1.9.7", 589 | "type": "library", 590 | "name": "org.aspectj:aspectjweaver", 591 | "version": "1.9.7", 592 | "purl": "pkg:maven/org.aspectj/aspectjweaver@1.9.7", 593 | "properties": [ 594 | { 595 | "name": "aquasecurity:trivy:PkgType", 596 | "value": "pom" 597 | } 598 | ] 599 | }, 600 | { 601 | "bom-ref": "pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5", 602 | "type": "library", 603 | "name": "org.glassfish.jaxb:jaxb-runtime", 604 | "version": "2.3.5", 605 | "purl": "pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5", 606 | "properties": [ 607 | { 608 | "name": "aquasecurity:trivy:PkgType", 609 | "value": "pom" 610 | } 611 | ] 612 | }, 613 | { 614 | "bom-ref": "pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12", 615 | "type": "library", 616 | "name": "org.hdrhistogram:HdrHistogram", 617 | "version": "2.1.12", 618 | "purl": "pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12", 619 | "properties": [ 620 | { 621 | "name": "aquasecurity:trivy:PkgType", 622 | "value": "pom" 623 | } 624 | ] 625 | }, 626 | { 627 | "bom-ref": "pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final", 628 | "type": "library", 629 | "name": "org.hibernate.common:hibernate-commons-annotations", 630 | "version": "5.1.2.Final", 631 | "purl": "pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final", 632 | "properties": [ 633 | { 634 | "name": "aquasecurity:trivy:PkgType", 635 | "value": "pom" 636 | } 637 | ] 638 | }, 639 | { 640 | "bom-ref": "pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final", 641 | "type": "library", 642 | "name": "org.hibernate.validator:hibernate-validator", 643 | "version": "6.2.0.Final", 644 | "purl": "pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final", 645 | "properties": [ 646 | { 647 | "name": "aquasecurity:trivy:PkgType", 648 | "value": "pom" 649 | } 650 | ] 651 | }, 652 | { 653 | "bom-ref": "pkg:maven/org.hibernate/hibernate-core@5.6.3.Final", 654 | "type": "library", 655 | "name": "org.hibernate:hibernate-core", 656 | "version": "5.6.3.Final", 657 | "purl": "pkg:maven/org.hibernate/hibernate-core@5.6.3.Final", 658 | "properties": [ 659 | { 660 | "name": "aquasecurity:trivy:PkgType", 661 | "value": "pom" 662 | } 663 | ] 664 | }, 665 | { 666 | "bom-ref": "pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final", 667 | "type": "library", 668 | "name": "org.jboss.logging:jboss-logging", 669 | "version": "3.4.2.Final", 670 | "purl": "pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final", 671 | "properties": [ 672 | { 673 | "name": "aquasecurity:trivy:PkgType", 674 | "value": "pom" 675 | } 676 | ] 677 | }, 678 | { 679 | "bom-ref": "pkg:maven/org.jboss/jandex@2.2.3.Final", 680 | "type": "library", 681 | "name": "org.jboss:jandex", 682 | "version": "2.2.3.Final", 683 | "purl": "pkg:maven/org.jboss/jandex@2.2.3.Final", 684 | "properties": [ 685 | { 686 | "name": "aquasecurity:trivy:PkgType", 687 | "value": "pom" 688 | } 689 | ] 690 | }, 691 | { 692 | "bom-ref": "pkg:maven/org.mapstruct/mapstruct@1.4.1.Final", 693 | "type": "library", 694 | "name": "org.mapstruct:mapstruct", 695 | "version": "1.4.1.Final", 696 | "purl": "pkg:maven/org.mapstruct/mapstruct@1.4.1.Final", 697 | "properties": [ 698 | { 699 | "name": "aquasecurity:trivy:PkgType", 700 | "value": "pom" 701 | } 702 | ] 703 | }, 704 | { 705 | "bom-ref": "pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final", 706 | "type": "library", 707 | "name": "org.mapstruct:mapstruct-processor", 708 | "version": "1.4.1.Final", 709 | "purl": "pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final", 710 | "properties": [ 711 | { 712 | "name": "aquasecurity:trivy:PkgType", 713 | "value": "pom" 714 | } 715 | ] 716 | }, 717 | { 718 | "bom-ref": "pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1", 719 | "type": "library", 720 | "name": "org.openapitools:jackson-databind-nullable", 721 | "version": "0.2.1", 722 | "purl": "pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1", 723 | "properties": [ 724 | { 725 | "name": "aquasecurity:trivy:PkgType", 726 | "value": "pom" 727 | } 728 | ] 729 | }, 730 | { 731 | "bom-ref": "pkg:maven/org.slf4j/jul-to-slf4j@1.7.32", 732 | "type": "library", 733 | "name": "org.slf4j:jul-to-slf4j", 734 | "version": "1.7.32", 735 | "purl": "pkg:maven/org.slf4j/jul-to-slf4j@1.7.32", 736 | "properties": [ 737 | { 738 | "name": "aquasecurity:trivy:PkgType", 739 | "value": "pom" 740 | } 741 | ] 742 | }, 743 | { 744 | "bom-ref": "pkg:maven/org.slf4j/slf4j-api@1.7.32", 745 | "type": "library", 746 | "name": "org.slf4j:slf4j-api", 747 | "version": "1.7.32", 748 | "purl": "pkg:maven/org.slf4j/slf4j-api@1.7.32", 749 | "properties": [ 750 | { 751 | "name": "aquasecurity:trivy:PkgType", 752 | "value": "pom" 753 | } 754 | ] 755 | }, 756 | { 757 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot@2.6.2", 758 | "type": "library", 759 | "name": "org.springframework.boot:spring-boot", 760 | "version": "2.6.2", 761 | "purl": "pkg:maven/org.springframework.boot/spring-boot@2.6.2", 762 | "properties": [ 763 | { 764 | "name": "aquasecurity:trivy:PkgType", 765 | "value": "pom" 766 | } 767 | ] 768 | }, 769 | { 770 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-actuator@2.6.2", 771 | "type": "library", 772 | "name": "org.springframework.boot:spring-boot-actuator", 773 | "version": "2.6.2", 774 | "purl": "pkg:maven/org.springframework.boot/spring-boot-actuator@2.6.2", 775 | "properties": [ 776 | { 777 | "name": "aquasecurity:trivy:PkgType", 778 | "value": "pom" 779 | } 780 | ] 781 | }, 782 | { 783 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-actuator-autoconfigure@2.6.2", 784 | "type": "library", 785 | "name": "org.springframework.boot:spring-boot-actuator-autoconfigure", 786 | "version": "2.6.2", 787 | "purl": "pkg:maven/org.springframework.boot/spring-boot-actuator-autoconfigure@2.6.2", 788 | "properties": [ 789 | { 790 | "name": "aquasecurity:trivy:PkgType", 791 | "value": "pom" 792 | } 793 | ] 794 | }, 795 | { 796 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.6.2", 797 | "type": "library", 798 | "name": "org.springframework.boot:spring-boot-autoconfigure", 799 | "version": "2.6.2", 800 | "purl": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.6.2", 801 | "properties": [ 802 | { 803 | "name": "aquasecurity:trivy:PkgType", 804 | "value": "pom" 805 | } 806 | ] 807 | }, 808 | { 809 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter@2.6.2", 810 | "type": "library", 811 | "name": "org.springframework.boot:spring-boot-starter", 812 | "version": "2.6.2", 813 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter@2.6.2", 814 | "properties": [ 815 | { 816 | "name": "aquasecurity:trivy:PkgType", 817 | "value": "pom" 818 | } 819 | ] 820 | }, 821 | { 822 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-actuator@2.6.2", 823 | "type": "library", 824 | "name": "org.springframework.boot:spring-boot-starter-actuator", 825 | "version": "2.6.2", 826 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-actuator@2.6.2", 827 | "properties": [ 828 | { 829 | "name": "aquasecurity:trivy:PkgType", 830 | "value": "pom" 831 | } 832 | ] 833 | }, 834 | { 835 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.6.2", 836 | "type": "library", 837 | "name": "org.springframework.boot:spring-boot-starter-aop", 838 | "version": "2.6.2", 839 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.6.2", 840 | "properties": [ 841 | { 842 | "name": "aquasecurity:trivy:PkgType", 843 | "value": "pom" 844 | } 845 | ] 846 | }, 847 | { 848 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-cache@2.6.2", 849 | "type": "library", 850 | "name": "org.springframework.boot:spring-boot-starter-cache", 851 | "version": "2.6.2", 852 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-cache@2.6.2", 853 | "properties": [ 854 | { 855 | "name": "aquasecurity:trivy:PkgType", 856 | "value": "pom" 857 | } 858 | ] 859 | }, 860 | { 861 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@2.6.2", 862 | "type": "library", 863 | "name": "org.springframework.boot:spring-boot-starter-data-jpa", 864 | "version": "2.6.2", 865 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@2.6.2", 866 | "properties": [ 867 | { 868 | "name": "aquasecurity:trivy:PkgType", 869 | "value": "pom" 870 | } 871 | ] 872 | }, 873 | { 874 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@2.6.2", 875 | "type": "library", 876 | "name": "org.springframework.boot:spring-boot-starter-jdbc", 877 | "version": "2.6.2", 878 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@2.6.2", 879 | "properties": [ 880 | { 881 | "name": "aquasecurity:trivy:PkgType", 882 | "value": "pom" 883 | } 884 | ] 885 | }, 886 | { 887 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-json@2.6.2", 888 | "type": "library", 889 | "name": "org.springframework.boot:spring-boot-starter-json", 890 | "version": "2.6.2", 891 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-json@2.6.2", 892 | "properties": [ 893 | { 894 | "name": "aquasecurity:trivy:PkgType", 895 | "value": "pom" 896 | } 897 | ] 898 | }, 899 | { 900 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.6.2", 901 | "type": "library", 902 | "name": "org.springframework.boot:spring-boot-starter-logging", 903 | "version": "2.6.2", 904 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.6.2", 905 | "properties": [ 906 | { 907 | "name": "aquasecurity:trivy:PkgType", 908 | "value": "pom" 909 | } 910 | ] 911 | }, 912 | { 913 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-security@2.6.2", 914 | "type": "library", 915 | "name": "org.springframework.boot:spring-boot-starter-security", 916 | "version": "2.6.2", 917 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-security@2.6.2", 918 | "properties": [ 919 | { 920 | "name": "aquasecurity:trivy:PkgType", 921 | "value": "pom" 922 | } 923 | ] 924 | }, 925 | { 926 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@2.6.2", 927 | "type": "library", 928 | "name": "org.springframework.boot:spring-boot-starter-tomcat", 929 | "version": "2.6.2", 930 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@2.6.2", 931 | "properties": [ 932 | { 933 | "name": "aquasecurity:trivy:PkgType", 934 | "value": "pom" 935 | } 936 | ] 937 | }, 938 | { 939 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-validation@2.6.2", 940 | "type": "library", 941 | "name": "org.springframework.boot:spring-boot-starter-validation", 942 | "version": "2.6.2", 943 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-validation@2.6.2", 944 | "properties": [ 945 | { 946 | "name": "aquasecurity:trivy:PkgType", 947 | "value": "pom" 948 | } 949 | ] 950 | }, 951 | { 952 | "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-web@2.6.2", 953 | "type": "library", 954 | "name": "org.springframework.boot:spring-boot-starter-web", 955 | "version": "2.6.2", 956 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-web@2.6.2", 957 | "properties": [ 958 | { 959 | "name": "aquasecurity:trivy:PkgType", 960 | "value": "pom" 961 | } 962 | ] 963 | }, 964 | { 965 | "bom-ref": "pkg:maven/org.springframework.data.build/spring-data-commons@2.6.0", 966 | "type": "library", 967 | "name": "org.springframework.data.build:spring-data-commons", 968 | "version": "2.6.0", 969 | "purl": "pkg:maven/org.springframework.data.build/spring-data-commons@2.6.0", 970 | "properties": [ 971 | { 972 | "name": "aquasecurity:trivy:PkgType", 973 | "value": "pom" 974 | } 975 | ] 976 | }, 977 | { 978 | "bom-ref": "pkg:maven/org.springframework.data/spring-data-jdbc-core@1.2.1.RELEASE", 979 | "type": "library", 980 | "name": "org.springframework.data:spring-data-jdbc-core", 981 | "version": "1.2.1.RELEASE", 982 | "purl": "pkg:maven/org.springframework.data/spring-data-jdbc-core@1.2.1.RELEASE", 983 | "properties": [ 984 | { 985 | "name": "aquasecurity:trivy:PkgType", 986 | "value": "pom" 987 | } 988 | ] 989 | }, 990 | { 991 | "bom-ref": "pkg:maven/org.springframework.data/spring-data-jpa@2.6.0", 992 | "type": "library", 993 | "name": "org.springframework.data:spring-data-jpa", 994 | "version": "2.6.0", 995 | "purl": "pkg:maven/org.springframework.data/spring-data-jpa@2.6.0", 996 | "properties": [ 997 | { 998 | "name": "aquasecurity:trivy:PkgType", 999 | "value": "pom" 1000 | } 1001 | ] 1002 | }, 1003 | { 1004 | "bom-ref": "pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE", 1005 | "type": "library", 1006 | "name": "org.springframework.plugin:spring-plugin-core", 1007 | "version": "2.0.0.RELEASE", 1008 | "purl": "pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE", 1009 | "properties": [ 1010 | { 1011 | "name": "aquasecurity:trivy:PkgType", 1012 | "value": "pom" 1013 | } 1014 | ] 1015 | }, 1016 | { 1017 | "bom-ref": "pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE", 1018 | "type": "library", 1019 | "name": "org.springframework.plugin:spring-plugin-metadata", 1020 | "version": "2.0.0.RELEASE", 1021 | "purl": "pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE", 1022 | "properties": [ 1023 | { 1024 | "name": "aquasecurity:trivy:PkgType", 1025 | "value": "pom" 1026 | } 1027 | ] 1028 | }, 1029 | { 1030 | "bom-ref": "pkg:maven/org.springframework.retry/spring-retry@1.3.1", 1031 | "type": "library", 1032 | "name": "org.springframework.retry:spring-retry", 1033 | "version": "1.3.1", 1034 | "purl": "pkg:maven/org.springframework.retry/spring-retry@1.3.1", 1035 | "properties": [ 1036 | { 1037 | "name": "aquasecurity:trivy:PkgType", 1038 | "value": "pom" 1039 | } 1040 | ] 1041 | }, 1042 | { 1043 | "bom-ref": "pkg:maven/org.springframework.samples/spring-petclinic-rest@2.6.2", 1044 | "type": "library", 1045 | "name": "org.springframework.samples:spring-petclinic-rest", 1046 | "version": "2.6.2", 1047 | "purl": "pkg:maven/org.springframework.samples/spring-petclinic-rest@2.6.2", 1048 | "properties": [ 1049 | { 1050 | "name": "aquasecurity:trivy:PkgType", 1051 | "value": "pom" 1052 | } 1053 | ] 1054 | }, 1055 | { 1056 | "bom-ref": "pkg:maven/org.springframework.security/spring-security-config@5.6.1", 1057 | "type": "library", 1058 | "name": "org.springframework.security:spring-security-config", 1059 | "version": "5.6.1", 1060 | "purl": "pkg:maven/org.springframework.security/spring-security-config@5.6.1", 1061 | "properties": [ 1062 | { 1063 | "name": "aquasecurity:trivy:PkgType", 1064 | "value": "pom" 1065 | } 1066 | ] 1067 | }, 1068 | { 1069 | "bom-ref": "pkg:maven/org.springframework.security/spring-security-core@5.6.1", 1070 | "type": "library", 1071 | "name": "org.springframework.security:spring-security-core", 1072 | "version": "5.6.1", 1073 | "purl": "pkg:maven/org.springframework.security/spring-security-core@5.6.1", 1074 | "properties": [ 1075 | { 1076 | "name": "aquasecurity:trivy:PkgType", 1077 | "value": "pom" 1078 | } 1079 | ] 1080 | }, 1081 | { 1082 | "bom-ref": "pkg:maven/org.springframework.security/spring-security-crypto@5.6.1", 1083 | "type": "library", 1084 | "name": "org.springframework.security:spring-security-crypto", 1085 | "version": "5.6.1", 1086 | "purl": "pkg:maven/org.springframework.security/spring-security-crypto@5.6.1", 1087 | "properties": [ 1088 | { 1089 | "name": "aquasecurity:trivy:PkgType", 1090 | "value": "pom" 1091 | } 1092 | ] 1093 | }, 1094 | { 1095 | "bom-ref": "pkg:maven/org.springframework.security/spring-security-web@5.6.1", 1096 | "type": "library", 1097 | "name": "org.springframework.security:spring-security-web", 1098 | "version": "5.6.1", 1099 | "purl": "pkg:maven/org.springframework.security/spring-security-web@5.6.1", 1100 | "properties": [ 1101 | { 1102 | "name": "aquasecurity:trivy:PkgType", 1103 | "value": "pom" 1104 | } 1105 | ] 1106 | }, 1107 | { 1108 | "bom-ref": "pkg:maven/org.springframework/spring-aop@5.3.14", 1109 | "type": "library", 1110 | "name": "org.springframework:spring-aop", 1111 | "version": "5.3.14", 1112 | "purl": "pkg:maven/org.springframework/spring-aop@5.3.14", 1113 | "properties": [ 1114 | { 1115 | "name": "aquasecurity:trivy:PkgType", 1116 | "value": "pom" 1117 | } 1118 | ] 1119 | }, 1120 | { 1121 | "bom-ref": "pkg:maven/org.springframework/spring-aspects@5.3.14", 1122 | "type": "library", 1123 | "name": "org.springframework:spring-aspects", 1124 | "version": "5.3.14", 1125 | "purl": "pkg:maven/org.springframework/spring-aspects@5.3.14", 1126 | "properties": [ 1127 | { 1128 | "name": "aquasecurity:trivy:PkgType", 1129 | "value": "pom" 1130 | } 1131 | ] 1132 | }, 1133 | { 1134 | "bom-ref": "pkg:maven/org.springframework/spring-beans@5.3.14", 1135 | "type": "library", 1136 | "name": "org.springframework:spring-beans", 1137 | "version": "5.3.14", 1138 | "purl": "pkg:maven/org.springframework/spring-beans@5.3.14", 1139 | "properties": [ 1140 | { 1141 | "name": "aquasecurity:trivy:PkgType", 1142 | "value": "pom" 1143 | } 1144 | ] 1145 | }, 1146 | { 1147 | "bom-ref": "pkg:maven/org.springframework/spring-context@5.3.14", 1148 | "type": "library", 1149 | "name": "org.springframework:spring-context", 1150 | "version": "5.3.14", 1151 | "purl": "pkg:maven/org.springframework/spring-context@5.3.14", 1152 | "properties": [ 1153 | { 1154 | "name": "aquasecurity:trivy:PkgType", 1155 | "value": "pom" 1156 | } 1157 | ] 1158 | }, 1159 | { 1160 | "bom-ref": "pkg:maven/org.springframework/spring-context-support@5.3.14", 1161 | "type": "library", 1162 | "name": "org.springframework:spring-context-support", 1163 | "version": "5.3.14", 1164 | "purl": "pkg:maven/org.springframework/spring-context-support@5.3.14", 1165 | "properties": [ 1166 | { 1167 | "name": "aquasecurity:trivy:PkgType", 1168 | "value": "pom" 1169 | } 1170 | ] 1171 | }, 1172 | { 1173 | "bom-ref": "pkg:maven/org.springframework/spring-core@5.3.14", 1174 | "type": "library", 1175 | "name": "org.springframework:spring-core", 1176 | "version": "5.3.14", 1177 | "purl": "pkg:maven/org.springframework/spring-core@5.3.14", 1178 | "properties": [ 1179 | { 1180 | "name": "aquasecurity:trivy:PkgType", 1181 | "value": "pom" 1182 | } 1183 | ] 1184 | }, 1185 | { 1186 | "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.14", 1187 | "type": "library", 1188 | "name": "org.springframework:spring-expression", 1189 | "version": "5.3.14", 1190 | "purl": "pkg:maven/org.springframework/spring-expression@5.3.14", 1191 | "properties": [ 1192 | { 1193 | "name": "aquasecurity:trivy:PkgType", 1194 | "value": "pom" 1195 | } 1196 | ] 1197 | }, 1198 | { 1199 | "bom-ref": "pkg:maven/org.springframework/spring-jcl@5.3.14", 1200 | "type": "library", 1201 | "name": "org.springframework:spring-jcl", 1202 | "version": "5.3.14", 1203 | "purl": "pkg:maven/org.springframework/spring-jcl@5.3.14", 1204 | "properties": [ 1205 | { 1206 | "name": "aquasecurity:trivy:PkgType", 1207 | "value": "pom" 1208 | } 1209 | ] 1210 | }, 1211 | { 1212 | "bom-ref": "pkg:maven/org.springframework/spring-jdbc@5.3.14", 1213 | "type": "library", 1214 | "name": "org.springframework:spring-jdbc", 1215 | "version": "5.3.14", 1216 | "purl": "pkg:maven/org.springframework/spring-jdbc@5.3.14", 1217 | "properties": [ 1218 | { 1219 | "name": "aquasecurity:trivy:PkgType", 1220 | "value": "pom" 1221 | } 1222 | ] 1223 | }, 1224 | { 1225 | "bom-ref": "pkg:maven/org.springframework/spring-orm@5.3.14", 1226 | "type": "library", 1227 | "name": "org.springframework:spring-orm", 1228 | "version": "5.3.14", 1229 | "purl": "pkg:maven/org.springframework/spring-orm@5.3.14", 1230 | "properties": [ 1231 | { 1232 | "name": "aquasecurity:trivy:PkgType", 1233 | "value": "pom" 1234 | } 1235 | ] 1236 | }, 1237 | { 1238 | "bom-ref": "pkg:maven/org.springframework/spring-tx@5.3.14", 1239 | "type": "library", 1240 | "name": "org.springframework:spring-tx", 1241 | "version": "5.3.14", 1242 | "purl": "pkg:maven/org.springframework/spring-tx@5.3.14", 1243 | "properties": [ 1244 | { 1245 | "name": "aquasecurity:trivy:PkgType", 1246 | "value": "pom" 1247 | } 1248 | ] 1249 | }, 1250 | { 1251 | "bom-ref": "pkg:maven/org.springframework/spring-web@5.3.14", 1252 | "type": "library", 1253 | "name": "org.springframework:spring-web", 1254 | "version": "5.3.14", 1255 | "purl": "pkg:maven/org.springframework/spring-web@5.3.14", 1256 | "properties": [ 1257 | { 1258 | "name": "aquasecurity:trivy:PkgType", 1259 | "value": "pom" 1260 | } 1261 | ] 1262 | }, 1263 | { 1264 | "bom-ref": "pkg:maven/org.springframework/spring-webmvc@5.3.14", 1265 | "type": "library", 1266 | "name": "org.springframework:spring-webmvc", 1267 | "version": "5.3.14", 1268 | "purl": "pkg:maven/org.springframework/spring-webmvc@5.3.14", 1269 | "properties": [ 1270 | { 1271 | "name": "aquasecurity:trivy:PkgType", 1272 | "value": "pom" 1273 | } 1274 | ] 1275 | }, 1276 | { 1277 | "bom-ref": "pkg:maven/org.yaml/snakeyaml@1.29", 1278 | "type": "library", 1279 | "name": "org.yaml:snakeyaml", 1280 | "version": "1.29", 1281 | "purl": "pkg:maven/org.yaml/snakeyaml@1.29", 1282 | "properties": [ 1283 | { 1284 | "name": "aquasecurity:trivy:PkgType", 1285 | "value": "pom" 1286 | } 1287 | ] 1288 | }, 1289 | { 1290 | "bom-ref": "3997e462-e7f0-4a33-92e1-1b5043348fd4", 1291 | "type": "application", 1292 | "name": "pom.xml", 1293 | "properties": [ 1294 | { 1295 | "name": "aquasecurity:trivy:Type", 1296 | "value": "pom" 1297 | }, 1298 | { 1299 | "name": "aquasecurity:trivy:Class", 1300 | "value": "lang-pkgs" 1301 | } 1302 | ] 1303 | } 1304 | ], 1305 | "dependencies": [ 1306 | { 1307 | "ref": "3997e462-e7f0-4a33-92e1-1b5043348fd4", 1308 | "dependsOn": [ 1309 | "pkg:maven/antlr/antlr@2.7.7", 1310 | "pkg:maven/ch.qos.logback/logback-classic@1.2.9", 1311 | "pkg:maven/ch.qos.logback/logback-core@1.2.9", 1312 | "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1", 1313 | "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1", 1314 | "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", 1315 | "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1", 1316 | "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1", 1317 | "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1", 1318 | "pkg:maven/com.fasterxml/classmate@1.5.1", 1319 | "pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12", 1320 | "pkg:maven/com.zaxxer/HikariCP@4.0.3", 1321 | "pkg:maven/io.github.classgraph/classgraph@4.8.83", 1322 | "pkg:maven/io.micrometer/micrometer-core@1.8.1", 1323 | "pkg:maven/io.springfox/springfox-bean-validators@3.0.0", 1324 | "pkg:maven/io.springfox/springfox-boot-starter@3.0.0", 1325 | "pkg:maven/io.springfox/springfox-core@3.0.0", 1326 | "pkg:maven/io.springfox/springfox-data-rest@3.0.0", 1327 | "pkg:maven/io.springfox/springfox-oas@3.0.0", 1328 | "pkg:maven/io.springfox/springfox-schema@3.0.0", 1329 | "pkg:maven/io.springfox/springfox-spi@3.0.0", 1330 | "pkg:maven/io.springfox/springfox-spring-web@3.0.0", 1331 | "pkg:maven/io.springfox/springfox-spring-webflux@3.0.0", 1332 | "pkg:maven/io.springfox/springfox-spring-webmvc@3.0.0", 1333 | "pkg:maven/io.springfox/springfox-swagger-common@3.0.0", 1334 | "pkg:maven/io.springfox/springfox-swagger-ui@3.0.0", 1335 | "pkg:maven/io.springfox/springfox-swagger2@3.0.0", 1336 | "pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2", 1337 | "pkg:maven/io.swagger.core.v3/swagger-models@2.1.2", 1338 | "pkg:maven/io.swagger/swagger-annotations@1.5.20", 1339 | "pkg:maven/io.swagger/swagger-models@1.5.20", 1340 | "pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2", 1341 | "pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5", 1342 | "pkg:maven/jakarta.persistence/jakarta.persistence-api@2.2.3", 1343 | "pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3", 1344 | "pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2", 1345 | "pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3", 1346 | "pkg:maven/javax.xml.bind/jaxb-api@2.3.0", 1347 | "pkg:maven/net.bytebuddy/byte-buddy@1.11.22", 1348 | "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@23", 1349 | "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.56", 1350 | "pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@9.0.56", 1351 | "pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.56", 1352 | "pkg:maven/org.aspectj/aspectjweaver@1.9.7", 1353 | "pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5", 1354 | "pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12", 1355 | "pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final", 1356 | "pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final", 1357 | "pkg:maven/org.hibernate/hibernate-core@5.6.3.Final", 1358 | "pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final", 1359 | "pkg:maven/org.jboss/jandex@2.2.3.Final", 1360 | "pkg:maven/org.mapstruct/mapstruct@1.4.1.Final", 1361 | "pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final", 1362 | "pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1", 1363 | "pkg:maven/org.slf4j/jul-to-slf4j@1.7.32", 1364 | "pkg:maven/org.slf4j/slf4j-api@1.7.32", 1365 | "pkg:maven/org.springframework.boot/spring-boot@2.6.2", 1366 | "pkg:maven/org.springframework.boot/spring-boot-actuator@2.6.2", 1367 | "pkg:maven/org.springframework.boot/spring-boot-actuator-autoconfigure@2.6.2", 1368 | "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.6.2", 1369 | "pkg:maven/org.springframework.boot/spring-boot-starter@2.6.2", 1370 | "pkg:maven/org.springframework.boot/spring-boot-starter-actuator@2.6.2", 1371 | "pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.6.2", 1372 | "pkg:maven/org.springframework.boot/spring-boot-starter-cache@2.6.2", 1373 | "pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@2.6.2", 1374 | "pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@2.6.2", 1375 | "pkg:maven/org.springframework.boot/spring-boot-starter-json@2.6.2", 1376 | "pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.6.2", 1377 | "pkg:maven/org.springframework.boot/spring-boot-starter-security@2.6.2", 1378 | "pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@2.6.2", 1379 | "pkg:maven/org.springframework.boot/spring-boot-starter-validation@2.6.2", 1380 | "pkg:maven/org.springframework.boot/spring-boot-starter-web@2.6.2", 1381 | "pkg:maven/org.springframework.data.build/spring-data-commons@2.6.0", 1382 | "pkg:maven/org.springframework.data/spring-data-jdbc-core@1.2.1.RELEASE", 1383 | "pkg:maven/org.springframework.data/spring-data-jpa@2.6.0", 1384 | "pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE", 1385 | "pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE", 1386 | "pkg:maven/org.springframework.retry/spring-retry@1.3.1", 1387 | "pkg:maven/org.springframework.samples/spring-petclinic-rest@2.6.2", 1388 | "pkg:maven/org.springframework.security/spring-security-config@5.6.1", 1389 | "pkg:maven/org.springframework.security/spring-security-core@5.6.1", 1390 | "pkg:maven/org.springframework.security/spring-security-crypto@5.6.1", 1391 | "pkg:maven/org.springframework.security/spring-security-web@5.6.1", 1392 | "pkg:maven/org.springframework/spring-aop@5.3.14", 1393 | "pkg:maven/org.springframework/spring-aspects@5.3.14", 1394 | "pkg:maven/org.springframework/spring-beans@5.3.14", 1395 | "pkg:maven/org.springframework/spring-context@5.3.14", 1396 | "pkg:maven/org.springframework/spring-context-support@5.3.14", 1397 | "pkg:maven/org.springframework/spring-core@5.3.14", 1398 | "pkg:maven/org.springframework/spring-expression@5.3.14", 1399 | "pkg:maven/org.springframework/spring-jcl@5.3.14", 1400 | "pkg:maven/org.springframework/spring-jdbc@5.3.14", 1401 | "pkg:maven/org.springframework/spring-orm@5.3.14", 1402 | "pkg:maven/org.springframework/spring-tx@5.3.14", 1403 | "pkg:maven/org.springframework/spring-web@5.3.14", 1404 | "pkg:maven/org.springframework/spring-webmvc@5.3.14", 1405 | "pkg:maven/org.yaml/snakeyaml@1.29" 1406 | ] 1407 | }, 1408 | { 1409 | "ref": "e053d629-ee7d-4417-bea6-6c7e165cc943", 1410 | "dependsOn": [ 1411 | "3997e462-e7f0-4a33-92e1-1b5043348fd4" 1412 | ] 1413 | } 1414 | ], 1415 | "vulnerabilities": [] 1416 | } 1417 | -------------------------------------------------------------------------------- /pet/3-git-triv-sbom.log: -------------------------------------------------------------------------------- 1 | 2023-02-27T09:38:17.913+0100 INFO "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report. 2 | -------------------------------------------------------------------------------- /pet/4-jartf.txt: -------------------------------------------------------------------------------- 1 | META-INF/ 2 | META-INF/MANIFEST.MF 3 | org/ 4 | org/springframework/ 5 | org/springframework/boot/ 6 | org/springframework/boot/loader/ 7 | org/springframework/boot/loader/ClassPathIndexFile.class 8 | org/springframework/boot/loader/ExecutableArchiveLauncher.class 9 | org/springframework/boot/loader/JarLauncher.class 10 | org/springframework/boot/loader/LaunchedURLClassLoader$DefinePackageCallType.class 11 | org/springframework/boot/loader/LaunchedURLClassLoader$UseFastConnectionExceptionsEnumeration.class 12 | org/springframework/boot/loader/LaunchedURLClassLoader.class 13 | org/springframework/boot/loader/Launcher.class 14 | org/springframework/boot/loader/MainMethodRunner.class 15 | org/springframework/boot/loader/PropertiesLauncher$1.class 16 | org/springframework/boot/loader/PropertiesLauncher$ArchiveEntryFilter.class 17 | org/springframework/boot/loader/PropertiesLauncher$ClassPathArchives.class 18 | org/springframework/boot/loader/PropertiesLauncher$PrefixMatchingArchiveFilter.class 19 | org/springframework/boot/loader/PropertiesLauncher.class 20 | org/springframework/boot/loader/WarLauncher.class 21 | org/springframework/boot/loader/archive/ 22 | org/springframework/boot/loader/archive/Archive$Entry.class 23 | org/springframework/boot/loader/archive/Archive$EntryFilter.class 24 | org/springframework/boot/loader/archive/Archive.class 25 | org/springframework/boot/loader/archive/ExplodedArchive$AbstractIterator.class 26 | org/springframework/boot/loader/archive/ExplodedArchive$ArchiveIterator.class 27 | org/springframework/boot/loader/archive/ExplodedArchive$EntryIterator.class 28 | org/springframework/boot/loader/archive/ExplodedArchive$FileEntry.class 29 | org/springframework/boot/loader/archive/ExplodedArchive$SimpleJarFileArchive.class 30 | org/springframework/boot/loader/archive/ExplodedArchive.class 31 | org/springframework/boot/loader/archive/JarFileArchive$AbstractIterator.class 32 | org/springframework/boot/loader/archive/JarFileArchive$EntryIterator.class 33 | org/springframework/boot/loader/archive/JarFileArchive$JarFileEntry.class 34 | org/springframework/boot/loader/archive/JarFileArchive$NestedArchiveIterator.class 35 | org/springframework/boot/loader/archive/JarFileArchive.class 36 | org/springframework/boot/loader/data/ 37 | org/springframework/boot/loader/data/RandomAccessData.class 38 | org/springframework/boot/loader/data/RandomAccessDataFile$1.class 39 | org/springframework/boot/loader/data/RandomAccessDataFile$DataInputStream.class 40 | org/springframework/boot/loader/data/RandomAccessDataFile$FileAccess.class 41 | org/springframework/boot/loader/data/RandomAccessDataFile.class 42 | org/springframework/boot/loader/jar/ 43 | org/springframework/boot/loader/jar/AbstractJarFile$JarFileType.class 44 | org/springframework/boot/loader/jar/AbstractJarFile.class 45 | org/springframework/boot/loader/jar/AsciiBytes.class 46 | org/springframework/boot/loader/jar/Bytes.class 47 | org/springframework/boot/loader/jar/CentralDirectoryEndRecord$1.class 48 | org/springframework/boot/loader/jar/CentralDirectoryEndRecord$Zip64End.class 49 | org/springframework/boot/loader/jar/CentralDirectoryEndRecord$Zip64Locator.class 50 | org/springframework/boot/loader/jar/CentralDirectoryEndRecord.class 51 | org/springframework/boot/loader/jar/CentralDirectoryFileHeader.class 52 | org/springframework/boot/loader/jar/CentralDirectoryParser.class 53 | org/springframework/boot/loader/jar/CentralDirectoryVisitor.class 54 | org/springframework/boot/loader/jar/FileHeader.class 55 | org/springframework/boot/loader/jar/Handler.class 56 | org/springframework/boot/loader/jar/JarEntry.class 57 | org/springframework/boot/loader/jar/JarEntryCertification.class 58 | org/springframework/boot/loader/jar/JarEntryFilter.class 59 | org/springframework/boot/loader/jar/JarFile$1.class 60 | org/springframework/boot/loader/jar/JarFile$JarEntryEnumeration.class 61 | org/springframework/boot/loader/jar/JarFile.class 62 | org/springframework/boot/loader/jar/JarFileEntries$1.class 63 | org/springframework/boot/loader/jar/JarFileEntries$EntryIterator.class 64 | org/springframework/boot/loader/jar/JarFileEntries$Offsets.class 65 | org/springframework/boot/loader/jar/JarFileEntries$Zip64Offsets.class 66 | org/springframework/boot/loader/jar/JarFileEntries$ZipOffsets.class 67 | org/springframework/boot/loader/jar/JarFileEntries.class 68 | org/springframework/boot/loader/jar/JarFileWrapper.class 69 | org/springframework/boot/loader/jar/JarURLConnection$1.class 70 | org/springframework/boot/loader/jar/JarURLConnection$JarEntryName.class 71 | org/springframework/boot/loader/jar/JarURLConnection.class 72 | org/springframework/boot/loader/jar/StringSequence.class 73 | org/springframework/boot/loader/jar/ZipInflaterInputStream.class 74 | org/springframework/boot/loader/jarmode/ 75 | org/springframework/boot/loader/jarmode/JarMode.class 76 | org/springframework/boot/loader/jarmode/JarModeLauncher.class 77 | org/springframework/boot/loader/jarmode/TestJarMode.class 78 | org/springframework/boot/loader/util/ 79 | org/springframework/boot/loader/util/SystemPropertyUtils.class 80 | BOOT-INF/ 81 | BOOT-INF/classes/ 82 | BOOT-INF/classes/messages/ 83 | BOOT-INF/classes/org/ 84 | BOOT-INF/classes/org/springframework/ 85 | BOOT-INF/classes/org/springframework/samples/ 86 | BOOT-INF/classes/org/springframework/samples/petclinic/ 87 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/ 88 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/ 89 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jpa/ 90 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/ 91 | BOOT-INF/classes/org/springframework/samples/petclinic/util/ 92 | BOOT-INF/classes/org/springframework/samples/petclinic/config/ 93 | BOOT-INF/classes/org/springframework/samples/petclinic/security/ 94 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/ 95 | BOOT-INF/classes/org/springframework/samples/petclinic/model/ 96 | BOOT-INF/classes/org/springframework/samples/petclinic/service/ 97 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/ 98 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/ 99 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/advice/ 100 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/ 101 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/ 102 | BOOT-INF/classes/db/ 103 | BOOT-INF/classes/db/postgresql/ 104 | BOOT-INF/classes/db/hsqldb/ 105 | BOOT-INF/classes/db/mysql/ 106 | META-INF/maven/ 107 | META-INF/maven/org.springframework.samples/ 108 | META-INF/maven/org.springframework.samples/spring-petclinic-rest/ 109 | BOOT-INF/classes/logback.xml 110 | BOOT-INF/classes/openapi.yml 111 | BOOT-INF/classes/messages/messages_de.properties 112 | BOOT-INF/classes/messages/messages_en.properties 113 | BOOT-INF/classes/messages/messages.properties 114 | BOOT-INF/classes/org/springframework/samples/petclinic/PetClinicApplication.class 115 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/VisitRepository.class 116 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/VetRepository.class 117 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/UserRepository.class 118 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataPetRepositoryImpl.class 119 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataOwnerRepository.class 120 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataVisitRepository.class 121 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/PetTypeRepositoryOverride.class 122 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataPetTypeRepositoryImpl.class 123 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataUserRepository.class 124 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataSpecialtyRepositoryImpl.class 125 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataSpecialtyRepository.class 126 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpecialtyRepositoryOverride.class 127 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/PetRepositoryOverride.class 128 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataPetRepository.class 129 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/VisitRepositoryOverride.class 130 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataVisitRepositoryImpl.class 131 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataVetRepository.class 132 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/springdatajpa/SpringDataPetTypeRepository.class 133 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/OwnerRepository.class 134 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/SpecialtyRepository.class 135 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jpa/JpaSpecialtyRepositoryImpl.class 136 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jpa/JpaOwnerRepositoryImpl.class 137 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jpa/JpaVisitRepositoryImpl.class 138 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jpa/JpaUserRepositoryImpl.class 139 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jpa/JpaVetRepositoryImpl.class 140 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jpa/JpaPetRepositoryImpl.class 141 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jpa/JpaPetTypeRepositoryImpl.class 142 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/PetRepository.class 143 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcVisitRowMapper.class 144 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcVisitRepositoryImpl.class 145 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcOwnerRepositoryImpl.class 146 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcPetVisitExtractor.class 147 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcPet.class 148 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcPetRepositoryImpl.class 149 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcVetRepositoryImpl$2.class 150 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcSpecialtyRepositoryImpl.class 151 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcVisitRepositoryImpl$JdbcVisitRowMapperExt.class 152 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcPetRowMapper.class 153 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcVetRepositoryImpl.class 154 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcUserRepositoryImpl.class 155 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcPetTypeRepositoryImpl.class 156 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/jdbc/JdbcVetRepositoryImpl$1.class 157 | BOOT-INF/classes/org/springframework/samples/petclinic/repository/PetTypeRepository.class 158 | BOOT-INF/classes/org/springframework/samples/petclinic/util/EntityUtils.class 159 | BOOT-INF/classes/org/springframework/samples/petclinic/util/CallMonitoringAspect.class 160 | BOOT-INF/classes/org/springframework/samples/petclinic/config/SwaggerConfig$1.class 161 | BOOT-INF/classes/org/springframework/samples/petclinic/config/SwaggerConfig.class 162 | BOOT-INF/classes/org/springframework/samples/petclinic/security/Roles.class 163 | BOOT-INF/classes/org/springframework/samples/petclinic/security/BasicAuthenticationConfig.class 164 | BOOT-INF/classes/org/springframework/samples/petclinic/security/DisableSecurityConfig.class 165 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/PetMapperImpl.class 166 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/SpecialtyMapperImpl.class 167 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/PetTypeMapper.class 168 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/OwnerMapperImpl.class 169 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/UserMapper.class 170 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/UserMapperImpl.class 171 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/VetMapper.class 172 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/VisitMapper.class 173 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/VisitMapperImpl.class 174 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/VetMapperImpl.class 175 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/SpecialtyMapper.class 176 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/PetMapper.class 177 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/OwnerMapper.class 178 | BOOT-INF/classes/org/springframework/samples/petclinic/mapper/PetTypeMapperImpl.class 179 | BOOT-INF/classes/org/springframework/samples/petclinic/model/Vet.class 180 | BOOT-INF/classes/org/springframework/samples/petclinic/model/Role.class 181 | BOOT-INF/classes/org/springframework/samples/petclinic/model/BaseEntity.class 182 | BOOT-INF/classes/org/springframework/samples/petclinic/model/Person.class 183 | BOOT-INF/classes/org/springframework/samples/petclinic/model/User.class 184 | BOOT-INF/classes/org/springframework/samples/petclinic/model/Specialty.class 185 | BOOT-INF/classes/org/springframework/samples/petclinic/model/Visit.class 186 | BOOT-INF/classes/org/springframework/samples/petclinic/model/Pet.class 187 | BOOT-INF/classes/org/springframework/samples/petclinic/model/Owner.class 188 | BOOT-INF/classes/org/springframework/samples/petclinic/model/NamedEntity.class 189 | BOOT-INF/classes/org/springframework/samples/petclinic/model/PetType.class 190 | BOOT-INF/classes/org/springframework/samples/petclinic/service/ClinicService.class 191 | BOOT-INF/classes/org/springframework/samples/petclinic/service/UserService.class 192 | BOOT-INF/classes/org/springframework/samples/petclinic/service/ClinicServiceImpl.class 193 | BOOT-INF/classes/org/springframework/samples/petclinic/service/UserServiceImpl.class 194 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/SpecialtyDto.class 195 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/OwnerAllOfDto.class 196 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/PetAllOfDto.class 197 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/RoleDto.class 198 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/PetTypeAllOfDto.class 199 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/ValidationMessageDto.class 200 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/VetAllOfDto.class 201 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/VetDto.class 202 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/VetFieldsDto.class 203 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/VisitDto.class 204 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/VisitAllOfDto.class 205 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/PetDto.class 206 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/RestErrorDto.class 207 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/UserDto.class 208 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/OwnerFieldsDto.class 209 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/PetFieldsDto.class 210 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/OwnerDto.class 211 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/VisitFieldsDto.class 212 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/PetTypeFieldsDto.class 213 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/dto/PetTypeDto.class 214 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/advice/ExceptionControllerAdvice$ErrorInfo.class 215 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/advice/ExceptionControllerAdvice.class 216 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/PetRestController.class 217 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/OwnerRestController.class 218 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/RootRestController.class 219 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/PetTypeRestController.class 220 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/BindingErrorsResponse$BindingError.class 221 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/VetRestController.class 222 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/BindingErrorsResponse.class 223 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/VisitRestController.class 224 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/SpecialtyRestController.class 225 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/controller/UserRestController.class 226 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/UsersApi.class 227 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/OwnersApi.class 228 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/OopsApi.class 229 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/PettypesApi.class 230 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/PetsApi.class 231 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/VisitsApi.class 232 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/SpecialtiesApi.class 233 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/ApiUtil.class 234 | BOOT-INF/classes/org/springframework/samples/petclinic/rest/api/VetsApi.class 235 | META-INF/build-info.properties 236 | BOOT-INF/classes/db/postgresql/initDB.sql 237 | BOOT-INF/classes/db/postgresql/populateDB.sql 238 | BOOT-INF/classes/db/postgresql/petclinic_db_setup_postgresql.txt 239 | BOOT-INF/classes/db/hsqldb/initDB.sql 240 | BOOT-INF/classes/db/hsqldb/populateDB.sql 241 | BOOT-INF/classes/db/mysql/initDB.sql 242 | BOOT-INF/classes/db/mysql/populateDB.sql 243 | BOOT-INF/classes/db/mysql/petclinic_db_setup_mysql.txt 244 | BOOT-INF/classes/application-hsqldb.properties 245 | BOOT-INF/classes/application-postgresql.properties 246 | BOOT-INF/classes/application.properties 247 | BOOT-INF/classes/application-mysql.properties 248 | META-INF/maven/org.springframework.samples/spring-petclinic-rest/pom.xml 249 | META-INF/maven/org.springframework.samples/spring-petclinic-rest/pom.properties 250 | BOOT-INF/lib/ 251 | BOOT-INF/lib/spring-boot-2.6.2.jar 252 | BOOT-INF/lib/spring-boot-autoconfigure-2.6.2.jar 253 | BOOT-INF/lib/logback-classic-1.2.9.jar 254 | BOOT-INF/lib/logback-core-1.2.9.jar 255 | BOOT-INF/lib/log4j-to-slf4j-2.17.0.jar 256 | BOOT-INF/lib/log4j-api-2.17.0.jar 257 | BOOT-INF/lib/jul-to-slf4j-1.7.32.jar 258 | BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar 259 | BOOT-INF/lib/snakeyaml-1.29.jar 260 | BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.6.2.jar 261 | BOOT-INF/lib/spring-boot-actuator-2.6.2.jar 262 | BOOT-INF/lib/micrometer-core-1.8.1.jar 263 | BOOT-INF/lib/HdrHistogram-2.1.12.jar 264 | BOOT-INF/lib/LatencyUtils-2.0.3.jar 265 | BOOT-INF/lib/spring-aop-5.3.14.jar 266 | BOOT-INF/lib/spring-beans-5.3.14.jar 267 | BOOT-INF/lib/aspectjweaver-1.9.7.jar 268 | BOOT-INF/lib/spring-context-support-5.3.14.jar 269 | BOOT-INF/lib/spring-context-5.3.14.jar 270 | BOOT-INF/lib/jakarta.transaction-api-1.3.3.jar 271 | BOOT-INF/lib/jakarta.persistence-api-2.2.3.jar 272 | BOOT-INF/lib/hibernate-core-5.6.3.Final.jar 273 | BOOT-INF/lib/jboss-logging-3.4.2.Final.jar 274 | BOOT-INF/lib/antlr-2.7.7.jar 275 | BOOT-INF/lib/jandex-2.2.3.Final.jar 276 | BOOT-INF/lib/hibernate-commons-annotations-5.1.2.Final.jar 277 | BOOT-INF/lib/jaxb-runtime-2.3.5.jar 278 | BOOT-INF/lib/txw2-2.3.5.jar 279 | BOOT-INF/lib/istack-commons-runtime-3.0.12.jar 280 | BOOT-INF/lib/jakarta.activation-1.2.2.jar 281 | BOOT-INF/lib/spring-data-jpa-2.6.0.jar 282 | BOOT-INF/lib/spring-data-commons-2.6.0.jar 283 | BOOT-INF/lib/spring-orm-5.3.14.jar 284 | BOOT-INF/lib/spring-tx-5.3.14.jar 285 | BOOT-INF/lib/spring-aspects-5.3.14.jar 286 | BOOT-INF/lib/HikariCP-4.0.3.jar 287 | BOOT-INF/lib/spring-jdbc-5.3.14.jar 288 | BOOT-INF/lib/jackson-datatype-jdk8-2.13.1.jar 289 | BOOT-INF/lib/jackson-module-parameter-names-2.13.1.jar 290 | BOOT-INF/lib/tomcat-embed-core-9.0.56.jar 291 | BOOT-INF/lib/tomcat-embed-websocket-9.0.56.jar 292 | BOOT-INF/lib/spring-web-5.3.14.jar 293 | BOOT-INF/lib/spring-webmvc-5.3.14.jar 294 | BOOT-INF/lib/spring-expression-5.3.14.jar 295 | BOOT-INF/lib/spring-security-config-5.6.1.jar 296 | BOOT-INF/lib/spring-security-web-5.6.1.jar 297 | BOOT-INF/lib/tomcat-embed-el-9.0.56.jar 298 | BOOT-INF/lib/hibernate-validator-6.2.0.Final.jar 299 | BOOT-INF/lib/jakarta.validation-api-2.0.2.jar 300 | BOOT-INF/lib/hsqldb-2.5.2.jar 301 | BOOT-INF/lib/mysql-connector-java-8.0.27.jar 302 | BOOT-INF/lib/postgresql-42.3.1.jar 303 | BOOT-INF/lib/checker-qual-3.5.0.jar 304 | BOOT-INF/lib/spring-data-jdbc-core-1.2.1.RELEASE.jar 305 | BOOT-INF/lib/spring-retry-1.3.1.jar 306 | BOOT-INF/lib/javax.annotation-api-1.3.2.jar 307 | BOOT-INF/lib/jakarta.xml.bind-api-2.3.3.jar 308 | BOOT-INF/lib/jakarta.activation-api-1.2.2.jar 309 | BOOT-INF/lib/spring-core-5.3.14.jar 310 | BOOT-INF/lib/spring-jcl-5.3.14.jar 311 | BOOT-INF/lib/spring-security-core-5.6.1.jar 312 | BOOT-INF/lib/spring-security-crypto-5.6.1.jar 313 | BOOT-INF/lib/jackson-core-2.13.1.jar 314 | BOOT-INF/lib/jackson-databind-2.13.1.jar 315 | BOOT-INF/lib/jackson-annotations-2.13.1.jar 316 | BOOT-INF/lib/slf4j-api-1.7.32.jar 317 | BOOT-INF/lib/springfox-boot-starter-3.0.0.jar 318 | BOOT-INF/lib/springfox-oas-3.0.0.jar 319 | BOOT-INF/lib/swagger-annotations-2.1.2.jar 320 | BOOT-INF/lib/swagger-models-2.1.2.jar 321 | BOOT-INF/lib/springfox-spi-3.0.0.jar 322 | BOOT-INF/lib/springfox-schema-3.0.0.jar 323 | BOOT-INF/lib/springfox-core-3.0.0.jar 324 | BOOT-INF/lib/springfox-spring-web-3.0.0.jar 325 | BOOT-INF/lib/classgraph-4.8.83.jar 326 | BOOT-INF/lib/springfox-spring-webmvc-3.0.0.jar 327 | BOOT-INF/lib/springfox-spring-webflux-3.0.0.jar 328 | BOOT-INF/lib/springfox-swagger-common-3.0.0.jar 329 | BOOT-INF/lib/springfox-data-rest-3.0.0.jar 330 | BOOT-INF/lib/springfox-bean-validators-3.0.0.jar 331 | BOOT-INF/lib/springfox-swagger2-3.0.0.jar 332 | BOOT-INF/lib/swagger-annotations-1.5.20.jar 333 | BOOT-INF/lib/swagger-models-1.5.20.jar 334 | BOOT-INF/lib/springfox-swagger-ui-3.0.0.jar 335 | BOOT-INF/lib/classmate-1.5.1.jar 336 | BOOT-INF/lib/spring-plugin-core-2.0.0.RELEASE.jar 337 | BOOT-INF/lib/spring-plugin-metadata-2.0.0.RELEASE.jar 338 | BOOT-INF/lib/jackson-databind-nullable-0.2.1.jar 339 | BOOT-INF/lib/jackson-datatype-jsr310-2.13.1.jar 340 | BOOT-INF/lib/mapstruct-1.4.1.Final.jar 341 | BOOT-INF/lib/mapstruct-processor-1.4.1.Final.jar 342 | BOOT-INF/lib/byte-buddy-1.11.22.jar 343 | BOOT-INF/lib/jaxb-api-2.3.0.jar 344 | BOOT-INF/lib/spring-boot-jarmode-layertools-2.6.2.jar 345 | BOOT-INF/classpath.idx 346 | BOOT-INF/layers.idx 347 | -------------------------------------------------------------------------------- /pet/4-pkg.log: -------------------------------------------------------------------------------- 1 | [INFO] Scanning for projects... 2 | [INFO] 3 | [INFO] ---------< org.springframework.samples:spring-petclinic-rest >---------- 4 | [INFO] Building spring-petclinic-rest 2.6.2 5 | [INFO] --------------------------------[ jar ]--------------------------------- 6 | [INFO] 7 | [INFO] --- jacoco-maven-plugin:0.8.7:prepare-agent (default) @ spring-petclinic-rest --- 8 | [INFO] argLine set to -javaagent:/.m2/repository/org/jacoco/org.jacoco.agent/0.8.7/org.jacoco.agent-0.8.7-runtime.jar=destfile=/pet/target/jacoco.exec,excludes=**/org/springframework/samples/petclinic/rest/dto/**:**/org/springframework/samples/petclinic/rest/api/** 9 | [INFO] 10 | [INFO] --- openapi-generator-maven-plugin:5.2.1:generate (default) @ spring-petclinic-rest --- 11 | [INFO] Generating with dryRun=false 12 | [INFO] Output directory (/pet/target/generated-sources/openapi) does not exist, or is inaccessible. No file (.openapi-generator-ignore) will be evaluated. 13 | [INFO] OpenAPI Generator: spring (server) 14 | [INFO] Generator 'spring' is considered stable. 15 | [INFO] ---------------------------------- 16 | [WARNING] java8 option has been deprecated as it's set to true by default (JDK7 support has been deprecated) 17 | [INFO] Environment variable JAVA_POST_PROCESS_FILE not defined so the Java code may not be properly formatted. To define it, try 'export JAVA_POST_PROCESS_FILE="/usr/local/bin/clang-format -i"' (Linux/Mac) 18 | [INFO] NOTE: To enable file post-processing, 'enablePostProcessFile' must be set to `true` (--enable-post-process-file for CLI). 19 | [INFO] Invoker Package Name, originally not set, is now derived from api package name: org.springframework.samples.petclinic.rest 20 | [INFO] Processing operation failingRequest 21 | [INFO] Processing operation listOwners 22 | [INFO] Processing operation addOwner 23 | [INFO] Processing operation getOwner 24 | [INFO] Processing operation updateOwner 25 | [INFO] Processing operation deleteOwner 26 | [INFO] Processing operation addPetToOwner 27 | [INFO] Processing operation getOwnersPet 28 | [INFO] Processing operation updateOwnersPet 29 | [INFO] Processing operation addVisitToOwner 30 | [INFO] Processing operation listPetTypes 31 | [INFO] Processing operation addPetType 32 | [INFO] Processing operation getPetType 33 | [INFO] Processing operation updatePetType 34 | [INFO] Processing operation deletePetType 35 | [INFO] Processing operation listPets 36 | [INFO] Processing operation addPet 37 | [INFO] Processing operation getPet 38 | [INFO] Processing operation updatePet 39 | [INFO] Processing operation deletePet 40 | [INFO] Processing operation listVisits 41 | [INFO] Processing operation addVisit 42 | [INFO] Processing operation getVisit 43 | [INFO] Processing operation updateVisit 44 | [INFO] Processing operation deleteVisit 45 | [INFO] Processing operation listSpecialties 46 | [INFO] Processing operation addSpecialty 47 | [INFO] Processing operation getSpecialty 48 | [INFO] Processing operation updateSpecialty 49 | [INFO] Processing operation deleteSpecialty 50 | [INFO] Processing operation listVets 51 | [INFO] Processing operation addVet 52 | [INFO] Processing operation getVet 53 | [INFO] Processing operation updateVet 54 | [INFO] Processing operation deleteVet 55 | [INFO] Processing operation addUser 56 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/OwnerAllOfDto.java 57 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/OwnerDto.java 58 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/OwnerFieldsDto.java 59 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/PetAllOfDto.java 60 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/PetDto.java 61 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/PetFieldsDto.java 62 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/PetTypeAllOfDto.java 63 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/PetTypeDto.java 64 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/PetTypeFieldsDto.java 65 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/RestErrorDto.java 66 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/RoleDto.java 67 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/SpecialtyDto.java 68 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/UserDto.java 69 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/ValidationMessageDto.java 70 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/VetAllOfDto.java 71 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/VetDto.java 72 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/VetFieldsDto.java 73 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/VisitAllOfDto.java 74 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/VisitDto.java 75 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/dto/VisitFieldsDto.java 76 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/OopsApi.java 77 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/OwnersApi.java 78 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/PetsApi.java 79 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/PettypesApi.java 80 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/SpecialtiesApi.java 81 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/UsersApi.java 82 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/VetsApi.java 83 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/VisitsApi.java 84 | [INFO] writing file /pet/target/generated-sources/openapi/pom.xml 85 | [INFO] writing file /pet/target/generated-sources/openapi/README.md 86 | [INFO] writing file /pet/target/generated-sources/openapi/src/main/java/org/springframework/samples/petclinic/rest/api/ApiUtil.java 87 | [INFO] writing file /pet/target/generated-sources/openapi/.openapi-generator-ignore 88 | [INFO] writing file /pet/target/generated-sources/openapi/.openapi-generator/VERSION 89 | [INFO] writing file /pet/target/generated-sources/openapi/.openapi-generator/FILES 90 | ################################################################################ 91 | # Thanks for using OpenAPI Generator. # 92 | # Please consider donation to help us maintain this project 🙏 # 93 | # https://opencollective.com/openapi_generator/donate # 94 | ################################################################################ 95 | [INFO] 96 | [INFO] --- build-helper-maven-plugin:3.2.0:add-source (add-source) @ spring-petclinic-rest --- 97 | [INFO] Source directory: /pet/target/generated-sources/openapi/src/main/java added. 98 | [INFO] 99 | [INFO] --- spring-boot-maven-plugin:2.6.2:build-info (default) @ spring-petclinic-rest --- 100 | [INFO] 101 | [INFO] --- maven-resources-plugin:3.2.0:resources (default-resources) @ spring-petclinic-rest --- 102 | [INFO] Using 'UTF-8' encoding to copy filtered resources. 103 | [INFO] Using 'UTF-8' encoding to copy filtered properties files. 104 | [INFO] Copying 4 resources 105 | [INFO] Copying 13 resources 106 | [INFO] 107 | [INFO] --- maven-compiler-plugin:3.8.1:compile (default-compile) @ spring-petclinic-rest --- 108 | [INFO] Changes detected - recompiling the module! 109 | [INFO] Compiling 112 source files to /pet/target/classes 110 | [INFO] 111 | [INFO] --- maven-resources-plugin:3.2.0:testResources (default-testResources) @ spring-petclinic-rest --- 112 | [INFO] Using 'UTF-8' encoding to copy filtered resources. 113 | [INFO] Using 'UTF-8' encoding to copy filtered properties files. 114 | [INFO] Copying 1 resource 115 | [INFO] 116 | [INFO] --- maven-compiler-plugin:3.8.1:testCompile (default-testCompile) @ spring-petclinic-rest --- 117 | [INFO] Changes detected - recompiling the module! 118 | [INFO] Compiling 18 source files to /pet/target/test-classes 119 | [INFO] 120 | [INFO] --- maven-surefire-plugin:2.22.2:test (default-test) @ spring-petclinic-rest --- 121 | [INFO] Tests are skipped. 122 | [INFO] 123 | [INFO] --- jacoco-maven-plugin:0.8.7:report (report) @ spring-petclinic-rest --- 124 | [INFO] Skipping JaCoCo execution due to missing execution data file. 125 | [INFO] 126 | [INFO] --- maven-jar-plugin:3.2.0:jar (default-jar) @ spring-petclinic-rest --- 127 | [INFO] Building jar: /pet/target/spring-petclinic-rest-2.6.2.jar 128 | [INFO] 129 | [INFO] --- spring-boot-maven-plugin:2.6.2:repackage (repackage) @ spring-petclinic-rest --- 130 | [INFO] Replacing main artifact with repackaged archive 131 | [INFO] ------------------------------------------------------------------------ 132 | [INFO] BUILD SUCCESS 133 | [INFO] ------------------------------------------------------------------------ 134 | [INFO] Total time: 3.331 s 135 | [INFO] Finished at: 2023-02-27T09:38:24+01:00 136 | [INFO] ------------------------------------------------------------------------ 137 | -------------------------------------------------------------------------------- /pet/5-pkg-jbom-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1 2 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1 3 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1 4 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1 5 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1 6 | pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1 7 | pkg:maven/com.fasterxml/ClassMate@1.5.1 8 | pkg:maven/com.mysql/MySQL%20Connector%2FJ@8.0.27 9 | pkg:maven/com.sun.activation/jakarta.activation@1.2.2 10 | pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 11 | pkg:maven/io.swagger/swagger-annotations@1.5.20 12 | pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2 13 | pkg:maven/org.apache.logging.log4j/log4j-api@2.17.0 14 | pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.17.0 15 | pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 16 | pkg:maven/org.glassfish.jaxb/txw2@2.3.5 17 | pkg:maven/org.glassfish/jakarta.annotation-api-1.3.5@1.3.5 18 | pkg:maven/org.glassfish/jakarta.transaction-api-1.3.3@1.3.3 19 | pkg:maven/org.glassfish/javax.annotation-api-1.3.2@1.3.2 20 | pkg:maven/org.glassfish/jaxb-api@2.3.0 21 | pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12 22 | pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final 23 | pkg:maven/org.hibernate/hibernate-commons-annotations-5.1.2.Final@5.1.2.Final 24 | pkg:maven/org.hibernate/hibernate-core@5.6.3.Final 25 | pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 26 | pkg:maven/org.jboss/jandex@2.2.3.Final 27 | pkg:maven/org.latencyutils/LatencyUtils@2.0.3 28 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 29 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 30 | pkg:maven/org.postgresql/PostgreSQL%20JDBC%20Driver@42.3.1 31 | pkg:maven/org.springframework.data/spring-data-commons@2.6.0 32 | pkg:maven/org.springframework.data/spring-data-jpa@2.6.0 33 | pkg:maven/org.springframework.samples/spring-petclinic-rest@2.6.2 34 | pkg:maven/org.yaml/snakeyaml@1.29 35 | -------------------------------------------------------------------------------- /pet/5-pkg-jbom-sbom.log: -------------------------------------------------------------------------------- 1 | 2023-02-27 09:38:24:946 TRACE --- [jbom] 2 | 2023-02-27 09:38:24:946 TRACE --- [jbom] _ __ 3 | 2023-02-27 09:38:24:946 TRACE --- [jbom] (_) /_ ____ ____ ___ 4 | 2023-02-27 09:38:24:946 TRACE --- [jbom] / / __ \/ __ \/ __ `__ \ 5 | 2023-02-27 09:38:24:946 TRACE --- [jbom] / / /_/ / /_/ / / / / / / 6 | 2023-02-27 09:38:24:946 TRACE --- [jbom] __/ /_.___/\____/_/ /_/ /_/ 7 | 2023-02-27 09:38:24:946 TRACE --- [jbom] /___/ 8 | 2023-02-27 09:38:24:946 TRACE --- [jbom] 9 | 2023-02-27 09:38:24:946 TRACE --- [jbom] by Contrast Security - https://contrastsecurity.com 10 | 2023-02-27 09:38:24:946 TRACE --- [jbom] 11 | 2023-02-27 09:38:24:946 TRACE --- [jbom] jbom generates SBOMs for all JVMs running on a host 12 | 2023-02-27 09:38:24:946 TRACE --- [jbom] https://github.com/Contrast-Security-OSS/jbom 13 | 2023-02-27 09:38:24:946 TRACE --- [jbom] 14 | 2023-02-27 09:38:24:946 TRACE --- [jbom] Analyzing file pet/./target/spring-petclinic-rest-2.6.2.jar 15 | 2023-02-27 09:38:26:728 TRACE --- [jbom] Saving SBOM with 95 components to pet/jbom-spring-petclinic-rest-2.6.2.json 16 | 2023-02-27 09:38:26:850 TRACE --- [jbom] 17 | 2023-02-27 09:38:26:850 TRACE --- [jbom] jbom complete 18 | -------------------------------------------------------------------------------- /pet/5-pkg-syft-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:maven/antlr/antlr@2.7.7 2 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1 3 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1 4 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1 5 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1 6 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1 7 | pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1 8 | pkg:maven/com.fasterxml/classmate@1.5.1 9 | pkg:maven/com.mysql.cj/mysql-connector-java@8.0.27 10 | pkg:maven/com.sun.activation/jakarta.activation@1.2.2 11 | pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 12 | pkg:maven/com.sun/jakarta.activation-api@1.2.2 13 | pkg:maven/com.zaxxer/HikariCP@4.0.3 14 | pkg:maven/io.github.classgraph/classgraph@4.8.83 15 | pkg:maven/io.micrometer%23micrometer-core/micrometer-core@1.8.1 16 | pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2 17 | pkg:maven/io.swagger.core.v3/swagger-models@2.1.2 18 | pkg:maven/io.swagger/swagger-annotations@1.5.20 19 | pkg:maven/io.swagger/swagger-models@1.5.20 20 | pkg:maven/jakarta.persistence-api/jakarta.persistence-api@2.2.3 21 | pkg:maven/jakarta.validation-api/jakarta.validation-api@2.0.2 22 | pkg:maven/jakarta.xml.bind-api/jakarta.xml.bind-api@2.3.3 23 | pkg:maven/logback-classic/logback-classic@1.2.9 24 | pkg:maven/logback-core/logback-core@1.2.9 25 | pkg:maven/net.bytebuddy/byte-buddy-dep@1.11.22 26 | pkg:maven/org.apache.logging.log4j/log4j-api@2.17.0 27 | pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.17.0 28 | pkg:maven/org.apache.tomcat-embed-core/tomcat-embed-core@9.0.56 29 | pkg:maven/org.apache.tomcat-embed-jasper-el/tomcat-embed-el@9.0.56 30 | pkg:maven/org.apache.tomcat-embed-websocket/tomcat-embed-websocket@9.0.56 31 | pkg:maven/org.aspectj.weaver/aspectjweaver@1.9.7 32 | pkg:maven/org.checkerframework.checker.qual/checker-qual@3.5.0 33 | pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 34 | pkg:maven/org.glassfish.jaxb/txw2@2.3.5 35 | pkg:maven/org.glassfish/jakarta.annotation-api@1.3.5 36 | pkg:maven/org.glassfish/jakarta.transaction-api@1.3.3 37 | pkg:maven/org.glassfish/javax.annotation-api@1.3.2 38 | pkg:maven/org.glassfish/jaxb-api@2.3.0 39 | pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12 40 | pkg:maven/org.hibernate.common.hibernate-commons-annotations/hibernate-commons-annotations@5.1.2.Final 41 | pkg:maven/org.hibernate.orm.core/hibernate-core@5.6.3.Final 42 | pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final 43 | pkg:maven/org.hsqldb.hsqldb/hsqldb@2.5.2 44 | pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 45 | pkg:maven/org.jboss/jandex@2.2.3.Final 46 | pkg:maven/org.latencyutils/LatencyUtils@2.0.3 47 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 48 | pkg:maven/org.mapstruct/mapstruct@1.4.1.Final 49 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 50 | pkg:maven/org.postgresql.jdbc/postgresql@42.3.1 51 | pkg:maven/org.slf4j/jul-to-slf4j@1.7.32 52 | pkg:maven/org.slf4j/slf4j-api@1.7.32 53 | pkg:maven/org.springframework.data/spring-data-commons@2.6.0 54 | pkg:maven/org.springframework.data/spring-data-jpa@2.6.0 55 | pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE 56 | pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE 57 | pkg:maven/org.springframework.retry/spring-retry@1.3.1 58 | pkg:maven/org.springframework.samples/spring-petclinic-rest@2.6.2 59 | pkg:maven/org.yaml/snakeyaml@1.29 60 | pkg:maven/spring-aop/spring-aop@5.3.14 61 | pkg:maven/spring-aspects/spring-aspects@5.3.14 62 | pkg:maven/spring-beans/spring-beans@5.3.14 63 | pkg:maven/spring-boot-actuator-autoconfigure/spring-boot-actuator-autoconfigure@2.6.2 64 | pkg:maven/spring-boot-actuator/spring-boot-actuator@2.6.2 65 | pkg:maven/spring-boot-autoconfigure/spring-boot-autoconfigure@2.6.2 66 | pkg:maven/spring-boot-jarmode-layertools/spring-boot-jarmode-layertools@2.6.2 67 | pkg:maven/spring-boot/spring-boot@2.6.2 68 | pkg:maven/spring-context-support/spring-context-support@5.3.14 69 | pkg:maven/spring-context/spring-context@5.3.14 70 | pkg:maven/spring-core/spring-core@5.3.14 71 | pkg:maven/spring-data-jdbc-core/spring-data-jdbc-core@1.2.1.RELEASE 72 | pkg:maven/spring-expression/spring-expression@5.3.14 73 | pkg:maven/spring-jcl/spring-jcl@5.3.14 74 | pkg:maven/spring-jdbc/spring-jdbc@5.3.14 75 | pkg:maven/spring-orm/spring-orm@5.3.14 76 | pkg:maven/spring-security-config/spring-security-config@5.6.1 77 | pkg:maven/spring-security-core/spring-security-core@5.6.1 78 | pkg:maven/spring-security-crypto/spring-security-crypto@5.6.1 79 | pkg:maven/spring-security-web/spring-security-web@5.6.1 80 | pkg:maven/spring-tx/spring-tx@5.3.14 81 | pkg:maven/spring-web/spring-web@5.3.14 82 | pkg:maven/spring-webmvc/spring-webmvc@5.3.14 83 | pkg:maven/springfox-bean-validators/springfox-bean-validators@3.0.0 84 | pkg:maven/springfox-boot-starter/springfox-boot-starter@3.0.0 85 | pkg:maven/springfox-core/springfox-core@3.0.0 86 | pkg:maven/springfox-data-rest/springfox-data-rest@3.0.0 87 | pkg:maven/springfox-oas/springfox-oas@3.0.0 88 | pkg:maven/springfox-schema/springfox-schema@3.0.0 89 | pkg:maven/springfox-spi/springfox-spi@3.0.0 90 | pkg:maven/springfox-spring-web/springfox-spring-web@3.0.0 91 | pkg:maven/springfox-spring-webflux/springfox-spring-webflux@3.0.0 92 | pkg:maven/springfox-spring-webmvc/springfox-spring-webmvc@3.0.0 93 | pkg:maven/springfox-swagger-common/springfox-swagger-common@3.0.0 94 | pkg:maven/springfox-swagger-ui/springfox-swagger-ui@3.0.0 95 | pkg:maven/springfox-swagger2/springfox-swagger2@3.0.0 96 | -------------------------------------------------------------------------------- /pet/5-pkg-syft-sbom.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endorlabs/sbom-lab/70b92c4f081aecc0eb41267a53ac85b829bf86da/pet/5-pkg-syft-sbom.log -------------------------------------------------------------------------------- /pet/6-img-syft-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:deb/debian/base-files@9.9+deb9u13 2 | pkg:deb/debian/fontconfig-config@2.11.0-6.7 3 | pkg:deb/debian/fonts-dejavu-core@2.37-1 4 | pkg:deb/debian/libc6@2.24-11+deb9u4 5 | pkg:deb/debian/libexpat1@2.2.0-2+deb9u3 6 | pkg:deb/debian/libfontconfig1@2.11.0-6.7+b1 7 | pkg:deb/debian/libfreetype6@2.6.3-3.2+deb9u2 8 | pkg:deb/debian/libgcc1@1:6.3.0-18+deb9u1 9 | pkg:deb/debian/libgomp1@6.3.0-18+deb9u1 10 | pkg:deb/debian/libjpeg62-turbo@1:1.5.1-2+deb9u1 11 | pkg:deb/debian/liblcms2-2@2.8-4+deb9u1 12 | pkg:deb/debian/libpng16-16@1.6.28-1+deb9u1 13 | pkg:deb/debian/libssl1.1@1.1.0l-1~deb9u3 14 | pkg:deb/debian/libstdc++6@6.3.0-18+deb9u1 15 | pkg:deb/debian/libuuid1@2.29.2-1+deb9u1 16 | pkg:deb/debian/netbase@5.4 17 | pkg:deb/debian/openjdk-8-jre-headless@8u275-b01-1~deb9u1 18 | pkg:deb/debian/openssl@1.1.0l-1~deb9u3 19 | pkg:deb/debian/tzdata@2021a-0+deb9u1 20 | pkg:deb/debian/zlib1g@1:1.2.8.dfsg-5 21 | pkg:maven/US_export_policy/US_export_policy 22 | pkg:maven/US_export_policy/US_export_policy 23 | pkg:maven/antlr/antlr@2.7.7 24 | pkg:maven/charsets/charsets 25 | pkg:maven/cldrdata/cldrdata 26 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1 27 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1 28 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1 29 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1 30 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1 31 | pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1 32 | pkg:maven/com.fasterxml/classmate@1.5.1 33 | pkg:maven/com.mysql.cj/mysql-connector-java@8.0.27 34 | pkg:maven/com.sun.activation/jakarta.activation@1.2.2 35 | pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 36 | pkg:maven/com.sun/jakarta.activation-api@1.2.2 37 | pkg:maven/com.sun/jce@1.8.0_275 38 | pkg:maven/com.sun/sunec@1.8.0_275 39 | pkg:maven/com.sun/sunjce_provider@1.8.0_275 40 | pkg:maven/com.sun/sunpkcs11@1.8.0_275 41 | pkg:maven/com.zaxxer/HikariCP@4.0.3 42 | pkg:maven/dnsns/dnsns 43 | pkg:maven/icedtea-sound/icedtea-sound 44 | pkg:maven/io.github.classgraph/classgraph@4.8.83 45 | pkg:maven/io.micrometer%23micrometer-core/micrometer-core@1.8.1 46 | pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2 47 | pkg:maven/io.swagger.core.v3/swagger-models@2.1.2 48 | pkg:maven/io.swagger/swagger-annotations@1.5.20 49 | pkg:maven/io.swagger/swagger-models@1.5.20 50 | pkg:maven/jaccess/jaccess 51 | pkg:maven/jakarta.persistence-api/jakarta.persistence-api@2.2.3 52 | pkg:maven/jakarta.validation-api/jakarta.validation-api@2.0.2 53 | pkg:maven/jakarta.xml.bind-api/jakarta.xml.bind-api@2.3.3 54 | pkg:maven/jfr/jfr@1.8.0_275 55 | pkg:maven/jsse/jsse@1.8.0_275 56 | pkg:maven/local_policy/local_policy 57 | pkg:maven/local_policy/local_policy 58 | pkg:maven/localedata/localedata 59 | pkg:maven/logback-classic/logback-classic@1.2.9 60 | pkg:maven/logback-core/logback-core@1.2.9 61 | pkg:maven/management-agent/management-agent 62 | pkg:maven/nashorn/nashorn@1.8.0_275-8u275-b01-1~deb9u1-b01 63 | pkg:maven/net.bytebuddy/byte-buddy-dep@1.11.22 64 | pkg:maven/net.bytebuddy/byte-buddy@1.11.22 65 | pkg:maven/org.apache.logging.log4j/log4j-api@2.17.0 66 | pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.17.0 67 | pkg:maven/org.apache.tomcat-embed-core/tomcat-embed-core@9.0.56 68 | pkg:maven/org.apache.tomcat-embed-jasper-el/tomcat-embed-el@9.0.56 69 | pkg:maven/org.apache.tomcat-embed-websocket/tomcat-embed-websocket@9.0.56 70 | pkg:maven/org.aspectj.weaver/aspectjweaver@1.9.7 71 | pkg:maven/org.checkerframework.checker.qual/checker-qual@3.5.0 72 | pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 73 | pkg:maven/org.glassfish.jaxb/txw2@2.3.5 74 | pkg:maven/org.glassfish/jakarta.annotation-api@1.3.5 75 | pkg:maven/org.glassfish/jakarta.transaction-api@1.3.3 76 | pkg:maven/org.glassfish/javax.annotation-api@1.3.2 77 | pkg:maven/org.glassfish/jaxb-api@2.3.0 78 | pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12 79 | pkg:maven/org.hibernate.common.hibernate-commons-annotations/hibernate-commons-annotations@5.1.2.Final 80 | pkg:maven/org.hibernate.orm.core/hibernate-core@5.6.3.Final 81 | pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final 82 | pkg:maven/org.hsqldb.hsqldb/hsqldb@2.5.2 83 | pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 84 | pkg:maven/org.jboss/jandex@2.2.3.Final 85 | pkg:maven/org.latencyutils/LatencyUtils@2.0.3 86 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 87 | pkg:maven/org.mapstruct/mapstruct@1.4.1.Final 88 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 89 | pkg:maven/org.postgresql.jdbc/postgresql@42.3.1 90 | pkg:maven/org.slf4j/jul-to-slf4j@1.7.32 91 | pkg:maven/org.slf4j/slf4j-api@1.7.32 92 | pkg:maven/org.springframework.data/spring-data-commons@2.6.0 93 | pkg:maven/org.springframework.data/spring-data-jpa@2.6.0 94 | pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE 95 | pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE 96 | pkg:maven/org.springframework.retry/spring-retry@1.3.1 97 | pkg:maven/org.yaml/snakeyaml@1.29 98 | pkg:maven/resources/resources@1.8.0_275 99 | pkg:maven/rt/rt@1.8.0_275 100 | pkg:maven/spring-aop/spring-aop@5.3.14 101 | pkg:maven/spring-aspects/spring-aspects@5.3.14 102 | pkg:maven/spring-beans/spring-beans@5.3.14 103 | pkg:maven/spring-boot-actuator-autoconfigure/spring-boot-actuator-autoconfigure@2.6.2 104 | pkg:maven/spring-boot-actuator/spring-boot-actuator@2.6.2 105 | pkg:maven/spring-boot-autoconfigure/spring-boot-autoconfigure@2.6.2 106 | pkg:maven/spring-boot-starter-actuator/spring-boot-starter-actuator@2.6.2 107 | pkg:maven/spring-boot-starter-aop/spring-boot-starter-aop@2.6.2 108 | pkg:maven/spring-boot-starter-cache/spring-boot-starter-cache@2.6.2 109 | pkg:maven/spring-boot-starter-data-jpa/spring-boot-starter-data-jpa@2.6.2 110 | pkg:maven/spring-boot-starter-jdbc/spring-boot-starter-jdbc@2.6.2 111 | pkg:maven/spring-boot-starter-json/spring-boot-starter-json@2.6.2 112 | pkg:maven/spring-boot-starter-logging/spring-boot-starter-logging@2.6.2 113 | pkg:maven/spring-boot-starter-security/spring-boot-starter-security@2.6.2 114 | pkg:maven/spring-boot-starter-tomcat/spring-boot-starter-tomcat@2.6.2 115 | pkg:maven/spring-boot-starter-validation/spring-boot-starter-validation@2.6.2 116 | pkg:maven/spring-boot-starter-web/spring-boot-starter-web@2.6.2 117 | pkg:maven/spring-boot-starter/spring-boot-starter@2.6.2 118 | pkg:maven/spring-boot/spring-boot@2.6.2 119 | pkg:maven/spring-context-support/spring-context-support@5.3.14 120 | pkg:maven/spring-context/spring-context@5.3.14 121 | pkg:maven/spring-core/spring-core@5.3.14 122 | pkg:maven/spring-data-jdbc-core/spring-data-jdbc-core@1.2.1.RELEASE 123 | pkg:maven/spring-expression/spring-expression@5.3.14 124 | pkg:maven/spring-jcl/spring-jcl@5.3.14 125 | pkg:maven/spring-jdbc/spring-jdbc@5.3.14 126 | pkg:maven/spring-orm/spring-orm@5.3.14 127 | pkg:maven/spring-security-config/spring-security-config@5.6.1 128 | pkg:maven/spring-security-core/spring-security-core@5.6.1 129 | pkg:maven/spring-security-crypto/spring-security-crypto@5.6.1 130 | pkg:maven/spring-security-web/spring-security-web@5.6.1 131 | pkg:maven/spring-tx/spring-tx@5.3.14 132 | pkg:maven/spring-web/spring-web@5.3.14 133 | pkg:maven/spring-webmvc/spring-webmvc@5.3.14 134 | pkg:maven/springfox-bean-validators/springfox-bean-validators@3.0.0 135 | pkg:maven/springfox-boot-starter/springfox-boot-starter@3.0.0 136 | pkg:maven/springfox-core/springfox-core@3.0.0 137 | pkg:maven/springfox-data-rest/springfox-data-rest@3.0.0 138 | pkg:maven/springfox-oas/springfox-oas@3.0.0 139 | pkg:maven/springfox-schema/springfox-schema@3.0.0 140 | pkg:maven/springfox-spi/springfox-spi@3.0.0 141 | pkg:maven/springfox-spring-web/springfox-spring-web@3.0.0 142 | pkg:maven/springfox-spring-webflux/springfox-spring-webflux@3.0.0 143 | pkg:maven/springfox-spring-webmvc/springfox-spring-webmvc@3.0.0 144 | pkg:maven/springfox-swagger-common/springfox-swagger-common@3.0.0 145 | pkg:maven/springfox-swagger-ui/springfox-swagger-ui@3.0.0 146 | pkg:maven/springfox-swagger2/springfox-swagger2@3.0.0 147 | pkg:maven/zipfs/zipfs@1.8.0_275 148 | -------------------------------------------------------------------------------- /pet/6-img-syft-sbom.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/endorlabs/sbom-lab/70b92c4f081aecc0eb41267a53ac85b829bf86da/pet/6-img-syft-sbom.log -------------------------------------------------------------------------------- /pet/6-img-triv-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:deb/debian/base-files@9.9+deb9u13 2 | pkg:deb/debian/fontconfig-config@2.11.0-6.7 3 | pkg:deb/debian/fonts-dejavu-core@2.37-1 4 | pkg:deb/debian/libc6@2.24-11+deb9u4 5 | pkg:deb/debian/libexpat1@2.2.0-2+deb9u3 6 | pkg:deb/debian/libfontconfig1@2.11.0-6.7+b1 7 | pkg:deb/debian/libfreetype6@2.6.3-3.2+deb9u2 8 | pkg:deb/debian/libgcc1@1:6.3.0-18+deb9u1 9 | pkg:deb/debian/libgomp1@6.3.0-18+deb9u1 10 | pkg:deb/debian/libjpeg62-turbo@1:1.5.1-2+deb9u1 11 | pkg:deb/debian/liblcms2-2@2.8-4+deb9u1 12 | pkg:deb/debian/libpng16-16@1.6.28-1+deb9u1 13 | pkg:deb/debian/libssl1.1@1.1.0l-1~deb9u3 14 | pkg:deb/debian/libstdc%2B%2B6@6.3.0-18+deb9u1 15 | pkg:deb/debian/libuuid1@2.29.2-1+deb9u1 16 | pkg:deb/debian/netbase@5.4 17 | pkg:deb/debian/openjdk-8-jre-headless@8u275-b01-1~deb9u1 18 | pkg:deb/debian/openssl@1.1.0l-1~deb9u3 19 | pkg:deb/debian/tzdata@2021a-0+deb9u1 20 | pkg:deb/debian/zlib1g@1:1.2.8.dfsg-5 21 | pkg:maven/ch.qos.logback/logback-classic@1.2.9 22 | pkg:maven/ch.qos.logback/logback-core@1.2.9 23 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1 24 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1 25 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1 26 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1 27 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1 28 | pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1 29 | pkg:maven/com.fasterxml/classmate@1.5.1 30 | pkg:maven/com.sun.activation/jakarta.activation@1.2.2 31 | pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 32 | pkg:maven/com.zaxxer/HikariCP@4.0.3 33 | pkg:maven/io.github.classgraph/classgraph@4.8.83 34 | pkg:maven/io.micrometer/micrometer-core@1.8.1 35 | pkg:maven/io.springfox/springfox-bean-validators@3.0.0 36 | pkg:maven/io.springfox/springfox-boot-starter@3.0.0 37 | pkg:maven/io.springfox/springfox-core@3.0.0 38 | pkg:maven/io.springfox/springfox-data-rest@3.0.0 39 | pkg:maven/io.springfox/springfox-oas@3.0.0 40 | pkg:maven/io.springfox/springfox-schema@3.0.0 41 | pkg:maven/io.springfox/springfox-spi@3.0.0 42 | pkg:maven/io.springfox/springfox-spring-web@3.0.0 43 | pkg:maven/io.springfox/springfox-spring-webflux@3.0.0 44 | pkg:maven/io.springfox/springfox-spring-webmvc@3.0.0 45 | pkg:maven/io.springfox/springfox-swagger-common@3.0.0 46 | pkg:maven/io.springfox/springfox-swagger-ui@3.0.0 47 | pkg:maven/io.springfox/springfox-swagger2@3.0.0 48 | pkg:maven/io.swagger.core.v3/swagger-annotations@2.1.2 49 | pkg:maven/io.swagger.core.v3/swagger-models@2.1.2 50 | pkg:maven/io.swagger/swagger-annotations@1.5.20 51 | pkg:maven/io.swagger/swagger-models@1.5.20 52 | pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2 53 | pkg:maven/jakarta.annotation/jakarta.annotation-api@1.3.5 54 | pkg:maven/jakarta.persistence/jakarta.persistence-api@2.2.3 55 | pkg:maven/jakarta.transaction/jakarta.transaction-api@1.3.3 56 | pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2 57 | pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@2.3.3 58 | pkg:maven/javax.annotation/javax.annotation-api@1.3.2 59 | pkg:maven/javax.xml.bind/jaxb-api@2.3.0 60 | pkg:maven/mysql/mysql-connector-java@8.0.27 61 | pkg:maven/net.bytebuddy/byte-buddy-dep@1.11.22 62 | pkg:maven/net.bytebuddy/byte-buddy@1.11.22 63 | pkg:maven/org.apache.logging.log4j/log4j-api@2.17.0 64 | pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.17.0 65 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.56 66 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@9.0.56 67 | pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.56 68 | pkg:maven/org.aspectj/aspectjweaver@1.9.7 69 | pkg:maven/org.checkerframework/checker-qual@3.5.0 70 | pkg:maven/org.glassfish.external/antlr@2.7.7 71 | pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 72 | pkg:maven/org.glassfish.jaxb/txw2@2.3.5 73 | pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12 74 | pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.2.Final 75 | pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final 76 | pkg:maven/org.hibernate/hibernate-core@5.6.3.Final 77 | pkg:maven/org.hsqldb/hsqldb@2.5.2 78 | pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 79 | pkg:maven/org.jboss/jandex@2.2.3.Final 80 | pkg:maven/org.latencyutils/LatencyUtils@2.0.3 81 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 82 | pkg:maven/org.mapstruct/mapstruct@1.4.1.Final 83 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 84 | pkg:maven/org.postgresql/postgresql@42.3.1 85 | pkg:maven/org.slf4j/jul-to-slf4j@1.7.32 86 | pkg:maven/org.slf4j/slf4j-api@1.7.32 87 | pkg:maven/org.springframework.boot/spring-boot-actuator-autoconfigure@2.6.2 88 | pkg:maven/org.springframework.boot/spring-boot-actuator@2.6.2 89 | pkg:maven/org.springframework.boot/spring-boot-autoconfigure@2.6.2 90 | pkg:maven/org.springframework.boot/spring-boot-starter-actuator@2.6.2 91 | pkg:maven/org.springframework.boot/spring-boot-starter-aop@2.6.2 92 | pkg:maven/org.springframework.boot/spring-boot-starter-cache@2.6.2 93 | pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@2.6.2 94 | pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@2.6.2 95 | pkg:maven/org.springframework.boot/spring-boot-starter-json@2.6.2 96 | pkg:maven/org.springframework.boot/spring-boot-starter-logging@2.6.2 97 | pkg:maven/org.springframework.boot/spring-boot-starter-security@2.6.2 98 | pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@2.6.2 99 | pkg:maven/org.springframework.boot/spring-boot-starter-validation@2.6.2 100 | pkg:maven/org.springframework.boot/spring-boot-starter-web@2.6.2 101 | pkg:maven/org.springframework.boot/spring-boot-starter@2.6.2 102 | pkg:maven/org.springframework.boot/spring-boot@2.6.2 103 | pkg:maven/org.springframework.data/spring-data-commons@2.6.0 104 | pkg:maven/org.springframework.data/spring-data-jdbc-core@1.2.1.RELEASE 105 | pkg:maven/org.springframework.data/spring-data-jpa@2.6.0 106 | pkg:maven/org.springframework.plugin/spring-plugin-core@2.0.0.RELEASE 107 | pkg:maven/org.springframework.plugin/spring-plugin-metadata@2.0.0.RELEASE 108 | pkg:maven/org.springframework.retry/spring-retry@1.3.1 109 | pkg:maven/org.springframework.security/spring-security-config@5.6.1 110 | pkg:maven/org.springframework.security/spring-security-core@5.6.1 111 | pkg:maven/org.springframework.security/spring-security-crypto@5.6.1 112 | pkg:maven/org.springframework.security/spring-security-web@5.6.1 113 | pkg:maven/org.springframework/spring-aop@5.3.14 114 | pkg:maven/org.springframework/spring-aspects@5.3.14 115 | pkg:maven/org.springframework/spring-beans@5.3.14 116 | pkg:maven/org.springframework/spring-context-support@5.3.14 117 | pkg:maven/org.springframework/spring-context@5.3.14 118 | pkg:maven/org.springframework/spring-core@5.3.14 119 | pkg:maven/org.springframework/spring-expression@5.3.14 120 | pkg:maven/org.springframework/spring-jcl@5.3.14 121 | pkg:maven/org.springframework/spring-jdbc@5.3.14 122 | pkg:maven/org.springframework/spring-orm@5.3.14 123 | pkg:maven/org.springframework/spring-tx@5.3.14 124 | pkg:maven/org.springframework/spring-web@5.3.14 125 | pkg:maven/org.springframework/spring-webmvc@5.3.14 126 | pkg:maven/org.yaml/snakeyaml@1.29 127 | -------------------------------------------------------------------------------- /pet/6-img-triv-sbom.log: -------------------------------------------------------------------------------- 1 | 2023-02-27T09:38:35.182+0100 INFO "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report. 2 | -------------------------------------------------------------------------------- /pet/7-run-jbom-purls.txt: -------------------------------------------------------------------------------- 1 | pkg:maven/com.contrastsecurity/jbom@1.2.1 2 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.12.4 3 | pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.1 4 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.12.4 5 | pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.1 6 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.4 7 | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1 8 | pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.12.4 9 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.13.1 10 | pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.13.1 11 | pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.13.1 12 | pkg:maven/com.fasterxml/ClassMate@1.5.1 13 | pkg:maven/com.mysql/MySQL%20Connector%2FJ@8.0.27 14 | pkg:maven/com.networknt/json-schema-validator@1.0.58 15 | pkg:maven/com.sun.activation/jakarta.activation@1.2.2 16 | pkg:maven/com.sun.istack/istack-commons-runtime@3.0.12 17 | pkg:maven/com.sun.xml.bind.jaxb/isorelax@20090621 18 | pkg:maven/io.swagger/swagger-annotations@1.5.20 19 | pkg:maven/jakarta.activation/jakarta.activation-api@1.2.2 20 | pkg:maven/jakarta.activation/jakarta.activation-api@api%2Fpom 21 | pkg:maven/net.java.dev.msv/xsdlib@INF%2Fmaven%2Fnet.java.dev.msv%2Fxsdlib%2Fpom 22 | pkg:maven/org.apache.logging.log4j/log4j-api@2.17.0 23 | pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.17.0 24 | pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.5 25 | pkg:maven/org.glassfish.jaxb/txw2@2.3.5 26 | pkg:maven/org.glassfish/jakarta.annotation-api-1.3.5@1.3.5 27 | pkg:maven/org.glassfish/jakarta.transaction-api-1.3.3@1.3.3 28 | pkg:maven/org.glassfish/javax.annotation-api-1.3.2@1.3.2 29 | pkg:maven/org.glassfish/javax.json@1.1.4 30 | pkg:maven/org.glassfish/jaxb-api@2.3.0 31 | pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12 32 | pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final 33 | pkg:maven/org.hibernate/hibernate-commons-annotations-5.1.2.Final@5.1.2.Final 34 | pkg:maven/org.hibernate/hibernate-core@5.6.3.Final 35 | pkg:maven/org.jboss.logging/jboss-logging@3.4.2.Final 36 | pkg:maven/org.jboss/jandex@2.2.3.Final 37 | pkg:maven/org.latencyutils/LatencyUtils@2.0.3 38 | pkg:maven/org.mapstruct/mapstruct-processor@1.4.1.Final 39 | pkg:maven/org.openapitools/jackson-databind-nullable@0.2.1 40 | pkg:maven/org.postgresql/PostgreSQL%20JDBC%20Driver@42.3.1 41 | pkg:maven/org.springframework.data/spring-data-commons@2.6.0 42 | pkg:maven/org.springframework.data/spring-data-jpa@2.6.0 43 | pkg:maven/org.springframework.samples/spring-petclinic-rest@2.6.2 44 | pkg:maven/org.yaml/snakeyaml@1.29 45 | -------------------------------------------------------------------------------- /pet/7-run-jbom-sbom.log: -------------------------------------------------------------------------------- 1 | 2 | . ____ _ __ _ _ 3 | /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ 4 | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ 5 | \\/ ___)| |_)| | | | | || (_| | ) ) ) ) 6 | ' |____| .__|_| |_|_| |_\__, | / / / / 7 | =========|_|==============|___/=/_/_/_/ 8 | :: Spring Boot :: (v2.6.2) 9 | 10 | INFO Version - HV000001: Hibernate Validator 6.2.0.Final 11 | INFO PetClinicApplication - Starting PetClinicApplication v2.6.2 using Java 17.0.6 on MacBook-Pro.local with PID 2663 (/pet/target/spring-petclinic-rest-2.6.2.jar started by --redacted-- in /Users/Documents/Work/github.com/endorlabs/sbom-lab) 12 | DEBUG PetClinicApplication - Running with Spring Boot v2.6.2, Spring v5.3.14 13 | INFO PetClinicApplication - The following profiles are active: hsqldb,spring-data-jpa 14 | INFO RepositoryConfigurationDelegate - Bootstrapping Spring Data JPA repositories in DEFAULT mode. 15 | INFO RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 40 ms. Found 7 JPA repository interfaces. 16 | INFO TomcatWebServer - Tomcat initialized with port(s): 9966 (http) 17 | INFO Http11NioProtocol - Initializing ProtocolHandler ["http-nio-9966"] 18 | INFO StandardService - Starting service [Tomcat] 19 | INFO StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.56] 20 | INFO [/petclinic] - Initializing Spring embedded WebApplicationContext 21 | INFO ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 1035 ms 22 | INFO HikariDataSource - HikariPool-1 - Starting... 23 | INFO PoolBase - HikariPool-1 - Driver does not support get/set network timeout for connections. (feature not supported) 24 | INFO HikariDataSource - HikariPool-1 - Start completed. 25 | INFO LogHelper - HHH000204: Processing PersistenceUnitInfo [name: default] 26 | INFO Version - HHH000412: Hibernate ORM core version 5.6.3.Final 27 | INFO Version - HCANN000001: Hibernate Commons Annotations {5.1.2.Final} 28 | INFO Dialect - HHH000400: Using dialect: org.hibernate.dialect.HSQLDialect 29 | INFO JtaPlatformInitiator - HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform] 30 | INFO LocalContainerEntityManagerFactoryBean - Initialized JPA EntityManagerFactory for persistence unit 'default' 31 | INFO EndpointLinksResolver - Exposing 1 endpoint(s) beneath base path '/actuator' 32 | INFO UserDetailsServiceAutoConfiguration - 33 | 34 | Using generated security password: 4e6f71af-d436-4817-9d8f-1233214c1f03 35 | 36 | INFO DefaultSecurityFilterChain - Will secure any request with [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7e52a26b, org.springframework.security.web.context.SecurityContextPersistenceFilter@3b41e1bf, org.springframework.security.web.header.HeaderWriterFilter@670342a2, org.springframework.security.web.authentication.logout.LogoutFilter@2d28fb02, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@486e9d1d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5bda157e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2e56b4d, org.springframework.security.web.session.SessionManagementFilter@1cd6b1bd, org.springframework.security.web.access.ExceptionTranslationFilter@61037caf, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@47df5041] 37 | INFO Http11NioProtocol - Starting ProtocolHandler ["http-nio-9966"] 38 | INFO TomcatWebServer - Tomcat started on port(s): 9966 (http) with context path '/petclinic' 39 | INFO PetClinicApplication - Started PetClinicApplication in 3.33 seconds (JVM running for 3.625) 40 | WARNING: jbom-1.2.1.jar not added to bootstrap class loader search: Illegal argument or not JAR file 41 | 2023-02-27 09:38:47:962 TRACE --- [jbom] ================================== 42 | 2023-02-27 09:38:47:962 TRACE --- [jbom] jbom attached 43 | 2023-02-27 09:38:47:962 TRACE --- [jbom] Java vendor : Eclipse Adoptium 44 | 2023-02-27 09:38:47:963 TRACE --- [jbom] Java version: 17.0.6 45 | 2023-02-27 09:38:49:846 TRACE --- [jbom] Saving SBOM with 119 components to pet/jbom-2663.json 46 | 2023-02-27 09:38:49:948 TRACE --- [jbom] jbom complete 47 | 2023-02-27 09:38:49:948 TRACE --- [jbom] ================================== 48 | INFO LocalContainerEntityManagerFactoryBean - Closing JPA EntityManagerFactory for persistence unit 'default' 49 | INFO HikariDataSource - HikariPool-1 - Shutdown initiated... 50 | INFO HikariDataSource - HikariPool-1 - Shutdown completed. 51 | -------------------------------------------------------------------------------- /pet/sbom.log: -------------------------------------------------------------------------------- 1 | Check prerequisites: OK 2 | 3 | 1) Clone repo https://github.com/spring-petclinic/spring-petclinic-rest into folder pet 4 | Checkout commit ee236caf798dde6ead7ab0726fb1cea96ca398ae 5 | 6 | 2) Resolve dependencies declared in pet/./pom.xml 7 | 8 | Raw text output in pet/2-deptree.txt contains the following deps: 9 | - 99 compile 10 | - 6 runtime 11 | - 0 provided 12 | - 0 system 13 | - 26 test 14 | 15 | SBOM true-positives (TP), false-negatives (FN) and recall will be computed for deps with scope(s): compile,runtime 16 | pet/2-exp-purls.txt - 105 PURLs have such scope(s) 17 | 18 | 3) Create SBOMs with directory 19 | 20 | Invoke CycloneDX (cycl): OK 21 | + mvn -DoutputFormat=json -DoutputDirectory=pet -DoutputName=3-git-cycl-sbom org.cyclonedx:cyclonedx-maven-plugin:2.7.5:makeBom -f pet/pom.xml > pet/3-git-cycl-sbom.log 2>&1 22 | pet/3-git-cycl-purls.txt - Contains 105 component PURLs in SBOM pet/3-git-cycl-sbom.json (TP = 105, FN = 0, recall = 1.00) 23 | 24 | Invoke Syft: OK 25 | + ./bin/syft packages dir:pet --file pet/3-git-syft-sbom.json -o cyclonedx-json > pet/3-git-syft-sbom.log 2>&1 26 | pet/3-git-syft-purls.txt - Contains 25 component PURLs in SBOM pet/3-git-syft-sbom.json (TP = 5, FN = 100, recall = 0.05) 27 | 28 | Invoke Trivy (triv): OK 29 | + ./bin/trivy fs --format cyclonedx --output pet/3-git-triv-sbom.json pet > pet/3-git-triv-sbom.log 2>&1 30 | pet/3-git-triv-purls.txt - Contains 97 component PURLs in SBOM pet/3-git-triv-sbom.json (TP = 94, FN = 11, recall = 0.90) 31 | 32 | 4) Call 'mvn package' to create JAR 33 | 34 | Created JAR pet/./target/spring-petclinic-rest-2.6.2.jar 35 | pet/4-jartf.txt - Number of files in BOOT-INF/lib = 94 36 | 37 | 5) Create SBOMs with JAR 38 | 39 | Invoke jbom: OK 40 | + java -jar ./bin//jbom.jar --file=pet/./target/spring-petclinic-rest-2.6.2.jar --outputDir=pet > pet/5-pkg-jbom-sbom.log 2>&1 41 | pet/5-pkg-jbom-purls.txt - Contains 34 component PURLs in SBOM pet/5-pkg-jbom-sbom.json (TP = 25, FN = 80, recall = 0.24) 42 | 43 | Invoke Syft: OK 44 | + ./bin/syft packages file:pet/./target/spring-petclinic-rest-2.6.2.jar --file pet/5-pkg-syft-sbom.json -o cyclonedx-json > pet/5-pkg-syft-sbom.log 2>&1 45 | pet/5-pkg-syft-purls.txt - Contains 95 component PURLs in SBOM pet/5-pkg-syft-sbom.json (TP = 36, FN = 69, recall = 0.34) 46 | 47 | 6) Create SBOMs with Docker image springcommunity/spring-petclinic-rest:2.6.2 48 | 49 | Invoke Syft: OK 50 | + ./bin/syft packages springcommunity/spring-petclinic-rest:2.6.2 --file pet/6-img-syft-sbom.json -o cyclonedx-json > pet/6-img-syft-sbom.log 2>&1 51 | pet/6-img-syft-purls.txt - Contains 147 component PURLs in SBOM pet/6-img-syft-sbom.json (TP = 37, FN = 68, recall = 0.35) 52 | 53 | Invoke Trivy (triv): OK 54 | + ./bin/trivy image --format cyclonedx --output pet/6-img-triv-sbom.json springcommunity/spring-petclinic-rest:2.6.2 > pet/6-img-triv-sbom.log 2>&1 55 | pet/6-img-triv-purls.txt - Contains 126 component PURLs in SBOM pet/6-img-triv-sbom.json (TP = 104, FN = 1, recall = 0.99) 56 | 57 | 7) Create runtime SBOMs 58 | 59 | Started executable JAR pet/./target/spring-petclinic-rest-2.6.2.jar with pid 2663, waiting 10 secs before attaching jbom... 60 | pet/7-run-jbom-purls.txt - Contains 44 component PURLs in SBOM pet/7-run-jbom-sbom.json (TP = 25, FN = 80, recall = 0.24) 61 | 62 | 8) No SBOM provided with --sbom --------------------------------------------------------------------------------