Question about dependencies for automatically created inventory items
Hi all,
We are scanning a project in which we have a scan profile with "All Transitive Dependencies" selected.
For one of the automatically created items (tomahawk20-1.1.14[Apache License 2.0]), only two items are reported as dependencies:
- myfaces-shared-tomahawk 4.0.16 [Bundled with tomahawk20 1.1.14 ] (Apache-2.0) - sstephenson-prototype 1.7 [Bundled with tomahawk20 1.1.14 ] (MIT)
If we review the dependencies of the component in mvn repository (value obtained from URL field in the component information), it has 11 Compile dependencies (only two are optional), 6 Provided Dependencies and 1 Runtime Dependency. Only myfaces-shared-tomahawk appears as provide dependency in there, and the second is missing.
In another case, we have an item associated to the component "commons-fileupload 1.3.1" where the tool has not generated any dependencies, but in mvn repository it has 1 compile dependency and 2 provided dependencies
How the tool handles the dependencies? Which is the criteria to generate an item as a dependency? Why do dependencies appear in some cases and not in others?
We sincerely apologize for our lack of response. Going forward, we will be making a concerted effort to respond to all forum questions in a timely manner as well as responding to all previously asked questions on our forum. If you or someone else still has this question, here is our response:
In short, we support a number of ecosystems by scanning their associated manifest files to detect dependencies. If you are not seeing dependencies that should be detected, please provide the appropriate manifest file in question for further review. You may also consider opening a new support case with us for a deeper dive into your codebase and scans.
