Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Excluded coordinates should not be queried in the OSS Index ? #66

Open
dvbarnz opened this issue Feb 9, 2022 · 4 comments · May be fixed by #68
Open

Excluded coordinates should not be queried in the OSS Index ? #66

dvbarnz opened this issue Feb 9, 2022 · 4 comments · May be fixed by #68
Assignees
@jdillon

Comments

@dvbarnz
Copy link

dvbarnz commented Feb 9, 2022

Using config similar to below (obfuscated) - the excluded artefact is still included in the network request to query the index.
The excluded artefact is one of our internal dependencies. We do not wish for this information to be transmitted outside of our networks.

      <exclude>
          <groupId>uk.xxx.yyy.zzz</groupId>
          <artifactId>aaaa-bbb</artifactId>
          <version>0.0.14-SNAPSHOT</version>
      </exclude>

POST https://ossindex.sonatype.org/api/v3/component-report;
payload: {"coordinates":["pkg:maven/org.yaml/snakeyaml@1.30","pkg:maven/uk.xxx.yyy.zzz/aaa-bbb@0.0.14-SNAPSHOT", ... etc..]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json
@jdillon
Copy link
Collaborator

jdillon commented Feb 12, 2022

@dvbarnz do you have a more complete example showing this exclusion is not working? Dependency collection should respect these rules, but its hard to tell why its not for you w/o a concrete example showing it is not.

@dvbarnz
Copy link
Author

dvbarnz commented Feb 12, 2022

Hi there @jdillon - this should illustrate what the issue is. Apologies if it wasn't clear to start with.
https://github.com/dvbarnz/oss-example

@jdillon
Copy link
Collaborator

jdillon commented Feb 12, 2022

@dvbarnz Thx, that helps.

The reasoning here is that (as the impl stands today) the excludeCoordinates configuration is processed to exclude matching (and reporting) vulnerabilities found in specific coordinates and not what is used to collect/exclude the coordinates to request information from the service.

If you had used the dependency exclusions mechanism it would have not included the coordinate in the request to the service. This is why I wanted to see an example so I could confirm how you are configuring Maven ;-)

ATM I don't see any reason why the application of excludeCoordinates couldn't (or shouldn't) be applied before making the request the the service. So we should be able to adjust this behavior as you mention above.

@jdillon jdillon self-assigned this Feb 12, 2022
@dvbarnz
Copy link
Author

dvbarnz commented Feb 12, 2022

Great, thanks @jdillon . Yes, I realised the original description was a bit ambiguous but for some reason I couldn't find the edit button to add a bit more context at the time. :)

@jdillon jdillon linked a pull request Feb 16, 2022 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jdillon jdillon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Exclude coordinates early sonatype/ossindex-maven
2 participants
@jdillon @dvbarnz