Open
Description
Describe the bug
When running a load_sbom errors are reported for Maven dependencies during the create_dependencies operation. 110 package are affected. Example:
Could not find resolved_to package entry: pkg:maven/org.apache.logging.log4j/[email protected]?type=jar
System configuration
- Which version of ScanCode.io are you running?
- Are you running the app using Docker?
- No, Helm chart for Kubernetes
- On which OS?
- Linux
- What inputs are you using?
- SBOM generated with cdxgen (see excerpt below)
- Which pipeline are you running?
- load_sbom
Relevant part from SBOM:
{
"type": "framework",
"bom-ref": "pkg:maven/org.apache.logging.log4j/[email protected]?type=jar",
"group": "org.apache.logging.log4j",
"name": "log4j-core",
"version": "2.24.1",
"description": "A versatile, industrial-grade, and reference implementation of the Log4j API.\n It bundles a rich set of components to assist various use cases:\n Appenders targeting files, network sockets, databases, SMTP servers;\n Layouts that can render CSV, HTML, JSON, Syslog, etc. formatted outputs;\n Filters that can be configured using log event rates, regular expressions, scripts, time, etc.\n It contains several extension points to introduce custom components, if needed.",
"licenses": [
{
"license": {
"id": "Apache-2.0",
"url": "https://opensource.org/licenses/Apache-2.0"
}
}
],
"purl": "pkg:maven/org.apache.logging.log4j/[email protected]?type=jar",
"properties": [
{
"name": "GradleProfileName",
"value": "compileClasspath"
}
]
},
To Reproduce
- Create a product in DejaCode
- Use Action > Load Packages from SBOMs
Note: This file has been crafted by hand based on the original file which I cannot share. It should result in the aformentioned error for the package [email protected].
Expected behavior
ScanCode.io should be able to resolve package
Screenshots
n.a.