Skip to content

Number of findings in cbomkit-action depends on jar and class settings #6

New issue
New issue
Open
Open
Number of findings in cbomkit-action depends on jar and class settings#6
Labels
bugSomething isn't working
@n1ckl0sk0rtge

Description

@n1ckl0sk0rtge
n1ckl0sk0rtge
opened on Jul 1, 2025

Keycloak-test scan results

Classes and jar are specified as patterns (with absolute path). Classes are passed as "sonar.java.binaries" (/Users/san/oss/keycloak-test/**/classes). Jars are passed as "sonar.java.libraries" (e.g bc jars as /Users/san/oss/cbomkit-action/src/main/resources/java/scan/**/*.jar, /Users/san/oss/cbomkit-action/src/main/resources/java/scan/**/*.zip)

  • no classes, no jars: 122

  • no classes, only bc*jars:127

  • no classes, only .m2 jars: 129

  • no classes, only project jars: 145

  • no classes, bc*jars + project jars: 145

  • no classes, bc*jars + project jars + .m2 jars: 145

  • classes, no jars: 138

  • classes, only bc*.jars: 143

  • classes, only .m2 jars: 145

  • classes, only project jars: 145

  • classes, bc*jars + project jars: 145

The jar order does not matter. There are warnings in all scans:

[main] WARN org.sonar.java.SonarComponents - Unresolved imports/types have been detected during analysis. Enable DEBUG mode to see them.

Debug level logging can be enables by passing -Dorg.slf4j.simpleLogger.defaultLogLevel=DEBUG on the command line.

The number of warnings differs depending on the settings but they never disappear. The least warnings when scanning with classes and all jars. I', not sure if they also show up in sonarqube.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    CBOMkit Development

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions