OkHTTP library - how to list in SBOM? #119
Comments
|
@sushi2k could you kindly share the apk and the generated sbom. Also try cdxgen to generate an sbom from the source. |
|
@prabhu Here you go:
$ cdxgen -t java -o sbom.json
Executing /Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/gradlew --build-cache --console plain --no-parallel properties in .
Executing /Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/gradlew --build-cache --console plain --no-parallel :app:properties in .
Executing /Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/gradlew --build-cache --console plain --no-parallel dependencies :app:dependencies in .
Obtained 203 from this gradle project. De-duping this list ... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I am evaluating at the moment how I can create SBOMs out of an APK and upload them to dependency-track to check for known vulnerabilities. I tried today blint.
I've got a simple Android app that has one vulnerable dependency that I added via
build.gradle.kts.The library is imported and I am creating a simple GET request by using OkHTTP. Afterwards I created an APK and scanned it with blint (without and with
--deep):When I search now for OkHttp in the 1st scan it cannot be found and there is no result.
In the sbom generated with deep scan there are 1,854 matches for "okhttp". If I upload the SBOM with deepscan into dependency-track it will show me 51 dependencies, but it will not list OkHttp. So I hasn't identified OkHTTP as dependency in the APK.
My understanding is that the
--deepis grepping through the DEX files to identify classes for dependencies, would this help to create an SBOM? Or is--deepnot useful to create a SBOM?And is it possible in this scenario to list a dependency that was added by Gradle into the SBOM created by blint?
The text was updated successfully, but these errors were encountered: