chore: add dirty waters

[algomaster99]

No description provided.

[algomaster99]

@randomicecube need help here. see https://github.com/chains-project/sbom.exe/actions/runs/13286604511/job/37096630961?pr=317#step:7:35

[randomicecube]

Hey Aman, I've tinkered with it a bit on a fork and it's working now (see https://github.com/randomicecube/sbom.exe/actions/runs/13355966510/job/37298751984)
I'm not exactly sure why this error happened, but switching to the most recent version seems to fix it (v1.5 introduces workflows being agnostic to caching, v1.6 pastes the reports into the logs); I'm going to commit the switch to v1.6, and hopefully the check should behave as expected then

[randomicecube]

@algomaster99 working! Fails because of 4 cases where no source code repo was found, but it's working!

[algomaster99]

Thanks @randomicecube !

I'm not exactly sure why this error happened,

great out of sight out of mind :D

Fails because of 4 cases where no source code repo was found, but it's working!

Pasting here for convenience

index	package_name	github_url	github_exists
1	org.sonatype.plexus:plexus-sec-dispatcher@1.3	No_repo_info_found
2	org.sonatype.sisu:sisu-guice@noaop	No_repo_info_found
3	org.sonatype.plexus:plexus-build-api@0.0.4	No_repo_info_found
4	org.sonatype.plexus:plexus-cipher@1.4	No_repo_info_found

I tried to Ctrl + F on the output of mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.1:tree -Dverbose > /tmp/a.txt sbom-exe-dt.txt. However, I see none of the these dependencies in the tree. I wonder if sbom.exe even has these dependencies.

Also, a feature-request: It would be nice to know which maven module these dependencies belong to.

[randomicecube]

@algomaster99 I believe some of them come from mvn dependency:resolve-plugins; I get the following:

org.apache.maven.plugins:maven-site-plugin:maven-plugin:3.12.1
  ...
  **org.sonatype.sisu:sisu-guice:jar:no_aop:3.2.3**
  **org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3**
  **org.sonatype.plexus:plexus-cipher:jar:1.4**
...

This one does not return the table's third entry, however (at least not with version 0.0.4, just 0.0.7). Interesting to note too that I think this allowed me to catch a bug on the sisu-guice case -- the version is being considered no_aop, not 3.2.3, since apparently there can be that fourth field between jar and the version, which I had no idea about. I'll fix it!
EDIT: opened issue chains-project/dirty-waters#69

[randomicecube]

Also, a feature-request: It would be nice to know which maven module these dependencies belong to.

If you mean this chains-project/dirty-waters#67, I think I sent you an e-mail regarding this, I'll bump it

[algomaster99]

Oh so these were plugins. Now it makes sense!

This one does not return the table's third entry

Any idea where that is coming from?

Yes. The coordinates have 4 items - groupId, artifactId, packaging and version. If packaging does not exist (option is jar), then version is third. So your commit to replace the index with -1 is good.

[randomicecube]

I already dealt with the packaging, I just didn't know about classifiers (which I think is what no_aop is) could also show up; the thing is, I'm not sure if -1 is very generalizable: in mvn dependency:resolve, for example, I think scopes show up too at the end -- so -2 for the resolve case, -1 for the resolve-plugins one?
It's weird, and really bad on maven's end that there's no JSON output like the one for mvn dependency:tree, it'd make this task so much easier

[algomaster99]

t there's no JSON output like the one for mvn dependency:tree

@LogFlames it seems that there is feature request to add JSON support for resolve-plugins :)

[randomicecube]

I think mvn dependency:resolve and mvn dependency:resolve-plugins would both benefit greatly, for sure! In particular, mvn dependency:resolve has no way (AFAIK) to link transitive dependencies to their parent ones via parsing, so it'd be great to have some structured output

[algomaster99]

@randomicecube so it seems you have fixed the issue with the 4th unknown dependency? What was the problem?

Also, I tried to manually find the 3 packages that don't have source URLs and I could find 2ish out of 3.

1. org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3 - https://github.com/codehaus-plexus/plexus-sec-dispatcher/tree/sec-dispatcher-1.3
2. org.sonatype.plexus:plexus-build-api@0.0.4 - https://github.com/codehaus-plexus/plexus-build-api/tree/plexus-build-api-0.0.4 (this commit is not part of git repository)
3. org.sonatype.plexus:plexus-cipher:jar:1.4 - could not find it

[randomicecube]

^ignoring cache for this run; need to remove that param from the workflow before merging

[github-actions]

Software Supply Chain Report of chains-project/sbom.exe - HEAD

Enabled Checks

The following checks were specifically requested:

• Source Code
• Source Code Sha
• Deprecated
• Provenance
• Code Signature
• Aliased Packages

---

How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

• ⚠️⚠️⚠️ : high severity

• ⚠️⚠️: medium severity

• ⚠️: low severity

Total packages in the supply chain: 287

❗ Packages with no source code URL (⚠️⚠️⚠️): 10

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 0

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 32

🔒 Packages without code signature (⚠️⚠️): 41

:unlocked: Packages with invalid code signature (⚠️⚠️): 0

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.

Source code links that could not be found(10)

index	package_name	github_url	github_exists	command
1	org.codehaus.plexus:plexus-container-default@1.0-alpha-9-stable-1	No_repo_info_found		resolve-plugins
2	commons-cli:commons-cli@1.0	No_repo_info_found		resolve-plugins
3	org.codehaus.plexus:plexus-interactivity-api@1.0-alpha-4	No_repo_info_found		resolve-plugins
4	org.codehaus.plexus:plexus-container-default@1.0-alpha-30	No_repo_info_found		resolve-plugins
5	javax.servlet:servlet-api@2.5	No_repo_info_found		resolve-plugins
6	commons-beanutils:commons-beanutils@1.7.0	No_repo_info_found		resolve-plugins
7	dom4j:dom4j@1.1	No_repo_info_found		resolve-plugins
8	sslext:sslext@1.2-0	No_repo_info_found		resolve-plugins
9	antlr:antlr@2.7.2	No_repo_info_found		resolve-plugins
10	oro:oro@2.0.8	No_repo_info_found		resolve-plugins

List of packages with available source code repos but with inaccessible commit SHAs/tags(32)

package_name	sha_exists	tag_version	is_sha	sha	tag_url	message	status_code_for_sha	command
com.diffplug.spotless:spotless-maven-plugin@2.44.3	False	2.44.3	False			Tag 2.44.3 not found in the repo	404	resolve-plugins
com.diffplug.spotless:spotless-lib@3.1.0	False	3.1.0	False			Tag 3.1.0 not found in the repo	404	resolve-plugins
com.diffplug.spotless:spotless-lib-extra@3.1.0	False	3.1.0	False			Tag 3.1.0 not found in the repo	404	resolve-plugins
dev.equo.ide:solstice@1.8.1	False	1.8.1	False			Tag 1.8.1 not found in the repo	404	resolve-plugins
org.jetbrains:annotations@13.0	False	13.0	False			Tag 13.0 not found in the repo	404	resolve-plugins
org.eclipse.platform:org.eclipse.osgi@3.18.500	False	3.18.500	False			Tag 3.18.500 not found in the repo	404	resolve-plugins
com.diffplug.durian:durian-core@1.2.0	False	1.2.0	False			Tag 1.2.0 not found in the repo	404	resolve-plugins
com.diffplug.durian:durian-io@1.2.0	False	1.2.0	False			Tag 1.2.0 not found in the repo	404	resolve-plugins
com.diffplug.durian:durian-collect@1.2.0	False	1.2.0	False			Tag 1.2.0 not found in the repo	404	resolve-plugins
commons-codec:commons-codec@1.17.0	False	1.17.0	False			Tag 1.17.0 not found in the repo	404	resolve-plugins
org.apache.maven.doxia:doxia-site-model@2.0.0	False	2.0.0	False			Tag 2.0.0 not found in the repo	404	resolve-plugins
org.apache.commons:commons-text@1.12.0	False	1.12.0	False			Tag 1.12.0 not found in the repo	404	resolve-plugins
org.apache.maven.doxia:doxia-integration-tools@2.0.0	False	2.0.0	False			Tag 2.0.0 not found in the repo	404	resolve-plugins
org.apache.maven.doxia:doxia-site-renderer@2.0.0	False	2.0.0	False			Tag 2.0.0 not found in the repo	404	resolve-plugins
org.apache.maven.doxia:doxia-skin-model@2.0.0	False	2.0.0	False			Tag 2.0.0 not found in the repo	404	resolve-plugins
org.eclipse.sisu:org.eclipse.sisu.plexus@0.9.0.M3	False	0.9.0.M3	False			Tag 0.9.0.M3 not found in the repo	404	resolve-plugins
org.eclipse.sisu:org.eclipse.sisu.inject@0.9.0.M3	False	0.9.0.M3	False			Tag 0.9.0.M3 not found in the repo	404	resolve-plugins
commons-io:commons-io@2.16.1	False	2.16.1	False			Tag 2.16.1 not found in the repo	404	resolve-plugins
org.apache.commons:commons-compress@1.26.2	False	1.26.2	False			Tag 1.26.2 not found in the repo	404	resolve-plugins
org.apache.commons:commons-lang3@3.17.0	False	3.17.0	False			Tag 3.17.0 not found in the repo	404	resolve-plugins
org.jdom:jdom2@2.0.6.1	False	2.0.6.1	False			Tag 2.0.6.1 not found in the repo	404	resolve-plugins
org.apache.commons:commons-lang3@3.14.0	False	3.14.0	False			Tag 3.14.0 not found in the repo	404	resolve-plugins
commons-io:commons-io@2.11.0	False	2.11.0	False			Tag 2.11.0 not found in the repo	404	resolve-plugins
com.google.guava:guava@33.2.1-jre	False	33.2.1-jre	False			Tag 33.2.1-jre not found in the repo	404	resolve-plugins
org.apache.httpcomponents:httpclient@4.5.14	False	4.5.14	False			Tag 4.5.14 not found in the repo	404	resolve-plugins
org.apache.httpcomponents:httpcore@4.4.16	False	4.4.16	False			Tag 4.4.16 not found in the repo	404	resolve-plugins
commons-io:commons-io@2.18.0	False	2.18.0	False			Tag 2.18.0 not found in the repo	404	resolve
io.github.algomaster99:runtime-class-interceptor@0.14.2-SNAPSHOT	False	0.14.2-SNAPSHOT	False			Tag 0.14.2-SNAPSHOT not found in the repo	404	resolve
io.github.algomaster99:terminator-commons@0.14.2-SNAPSHOT	False	0.14.2-SNAPSHOT	False			Tag 0.14.2-SNAPSHOT not found in the repo	404	resolve
org.assertj:assertj-core@3.27.3	False	3.27.3	False			Tag 3.27.3 not found in the repo	404	resolve
org.junit.platform:junit-platform-commons@1.12.1	False	1.12.1	False			Tag 1.12.1 not found in the repo	404	resolve
org.junit.platform:junit-platform-engine@1.12.1	False	1.12.1	False			Tag 1.12.1 not found in the repo	404	resolve

The package manager (maven) does not support checking for deprecated packages.

List of packages without code signature(41)

package_name	command
javax.inject:javax.inject@1	resolve
org.apache.maven.wagon:wagon-provider-api@1.0-beta-2	resolve-plugins
org.codehaus.plexus:plexus-container-default@1.0-alpha-9-stable-1	resolve-plugins
junit:junit@3.8.1	resolve-plugins
classworlds:classworlds@1.1-alpha-2	resolve-plugins
org.apache.maven.wagon:wagon-file@1.0-beta-2	resolve-plugins
org.apache.maven.wagon:wagon-http-lightweight@1.0-beta-2	resolve-plugins
org.apache.maven.wagon:wagon-http-shared@1.0-beta-2	resolve-plugins
jtidy:jtidy@4aug2000r7-dev	resolve-plugins
xml-apis:xml-apis@1.0.b2	resolve-plugins
commons-cli:commons-cli@1.0	resolve-plugins
org.apache.maven.wagon:wagon-ssh-external@1.0-beta-2	resolve-plugins
org.apache.maven.wagon:wagon-ssh-common@1.0-beta-2	resolve-plugins
org.codehaus.plexus:plexus-interactivity-api@1.0-alpha-4	resolve-plugins
org.apache.maven.wagon:wagon-ssh@1.0-beta-2	resolve-plugins
com.jcraft:jsch@0.1.27	resolve-plugins
commons-lang:commons-lang@2.1	resolve-plugins
org.codehaus.plexus:plexus-i18n@1.0-beta-10	resolve-plugins
com.google.code.findbugs:jsr305@2.0.1	resolve-plugins
org.codehaus.plexus:plexus-container-default@1.0-alpha-30	resolve-plugins
xerces:xercesImpl@2.9.1	resolve-plugins
xml-apis:xml-apis@1.3.04	resolve-plugins
commons-codec:commons-codec@1.3	resolve-plugins
javax.servlet:servlet-api@2.5	resolve-plugins
commons-beanutils:commons-beanutils@1.7.0	resolve-plugins
commons-digester:commons-digester@1.8	resolve-plugins
commons-chain:commons-chain@1.1	resolve-plugins
dom4j:dom4j@1.1	resolve-plugins
sslext:sslext@1.2-0	resolve-plugins
antlr:antlr@2.7.2	resolve-plugins
org.codehaus.plexus:plexus-i18n@1.0-beta-7	resolve-plugins
org.apache.velocity:velocity@1.5	resolve-plugins
oro:oro@2.0.8	resolve-plugins
org.codehaus.plexus:plexus-velocity@1.1.8	resolve-plugins
org.codehaus.plexus:plexus-utils@1.5.10	resolve-plugins
org.mortbay.jetty:servlet-api@2.5-20081211	resolve-plugins
aopalliance:aopalliance@1.0	resolve-plugins
classworlds:classworlds@1.1	resolve-plugins
org.codehaus.plexus:plexus-interpolation@1.13	resolve-plugins
io.github.algomaster99:runtime-class-interceptor@0.14.2-SNAPSHOT	resolve
io.github.algomaster99:terminator-commons@0.14.2-SNAPSHOT	resolve

All packages have valid code signature.

The package manager (maven) does not support checking for provenance.

The package manager (maven) does not support checking for aliased packages.

Call to Action:

👻What do I do now?

For packages without source code & accessible SHA/release tags:

• Why? Missing or inaccessible source code makes it impossible to audit the package for security vulnerabilities or malicious code.

1. Pull Request to the maintainer of dependency, requesting correct repository metadata and proper versioning/tagging.

For deprecated packages:

• Why? Deprecated packages may contain known security issues and are no longer maintained, putting your project at risk.

1. Confirm the maintainer's deprecation intention
2. Check for not deprecated versions

For packages without code signature:

• Why? Code signatures help verify the authenticity and integrity of the package, ensuring it hasn't been tampered with.

1. Open an issue in the dependency's repository to request the inclusion of code signature in the CI/CD pipeline.

For packages with invalid code signature:

• Why? Invalid signatures could indicate tampering or compromised build processes.

1. It's recommended to verify the code signature and contact the maintainer to fix the issue.

For packages without provenance:

• Why? Without provenance, there's no way to verify that the package was built from the claimed source code, making supply chain attacks possible.

1. Open an issue in the dependency's repository to request the inclusion of provenance and build attestation in the CI/CD pipeline.

For packages that are aliased:

• Why? Aliased packages may hide malicious dependencies under seemingly legitimate names.

1. Check the aliased package and its repository to verify the alias is not malicious.

Notes

Other info:

• Source code repo is not hosted on GitHub: 117

  This could be due, for example, to the package being hosted on a different platform.

  This does not mean that the source code URL is invalid.

  However, for non-GitHub repositories, not all checks can currently be performed.

index	package_name	github_url	command
1	org.tukaani:xz@1.9	https://tukaani.org/xz/java.html	resolve-plugins
2	javax.inject:javax.inject@1	http://code.google.com/p/atinject/	resolve
3	org.eclipse.jgit:org.eclipse.jgit@6.10.0.202406032230-r	https://www.eclipse.org/jgit//org.eclipse.jgit	resolve-plugins
4	org.sonatype.plexus:plexus-build-api@0.0.7	http://forge.sonatype.com/spice-parent/plexus-build-api/	resolve-plugins
5	org.apache.maven.plugins:maven-jar-plugin@2.4	http://maven.apache.org/plugins/maven-jar-plugin/	resolve-plugins
6	org.apache.maven:maven-plugin-api@2.0.6	http://maven.apache.org/maven-plugin-api	resolve-plugins
7	org.apache.maven:maven-project@2.0.6	http://maven.apache.org/maven-project	resolve-plugins
8	org.apache.maven:maven-settings@2.0.6	http://maven.apache.org/maven-settings	resolve-plugins
9	org.apache.maven:maven-profile@2.0.6	http://maven.apache.org/maven-profile	resolve-plugins
10	org.apache.maven:maven-artifact-manager@2.0.6	http://maven.apache.org/maven-artifact-manager	resolve-plugins
11	org.apache.maven:maven-repository-metadata@2.0.6	http://maven.apache.org/maven-repository-metadata	resolve-plugins
12	org.apache.maven.wagon:wagon-provider-api@1.0-beta-2	http://maven.apache.org/wagon/wagon-provider-api	resolve-plugins
13	org.apache.maven:maven-plugin-registry@2.0.6	http://maven.apache.org/maven-plugin-registry	resolve-plugins
14	junit:junit@3.8.1	http://junit.org	resolve-plugins
15	classworlds:classworlds@1.1-alpha-2	http://classworlds.codehaus.org/	resolve-plugins
16	org.apache.maven:maven-model@2.0.6	http://maven.apache.org/maven-model	resolve-plugins
17	org.apache.maven:maven-artifact@2.0.6	http://maven.apache.org/maven-artifact	resolve-plugins
18	org.apache.maven:maven-archiver@2.5	http://maven.apache.org/shared/maven-archiver/	resolve-plugins
19	org.apache.maven:maven-core@2.0.6	http://maven.apache.org/maven-core	resolve-plugins
20	org.apache.maven.wagon:wagon-file@1.0-beta-2	http://maven.apache.org/wagon/wagon-providers/wagon-file	resolve-plugins
21	org.apache.maven:maven-plugin-parameter-documenter@2.0.6	http://maven.apache.org/maven-plugin-parameter-documenter	resolve-plugins
22	org.apache.maven.wagon:wagon-http-lightweight@1.0-beta-2	http://maven.apache.org/wagon/wagon-providers/wagon-http-lightweight	resolve-plugins
23	org.apache.maven.wagon:wagon-http-shared@1.0-beta-2	http://maven.apache.org/wagon/wagon-providers/wagon-http-shared	resolve-plugins
24	jtidy:jtidy@4aug2000r7-dev	http://jtidy.sourceforge.net	resolve-plugins
25	xml-apis:xml-apis@1.0.b2	http://xml.apache.org/commons/#external	resolve-plugins
26	org.apache.maven.reporting:maven-reporting-api@2.0.6	http://maven.apache.org/maven-reporting/maven-reporting-api	resolve-plugins
27	org.apache.maven.doxia:doxia-sink-api@1.0-alpha-7	http://maven.apache.org/doxia/doxia-sink-api	resolve-plugins
28	org.apache.maven:maven-error-diagnostics@2.0.6	http://maven.apache.org/maven-error-diagnostics	resolve-plugins
29	org.apache.maven.wagon:wagon-ssh-external@1.0-beta-2	http://maven.apache.org/wagon/wagon-providers/wagon-ssh-external	resolve-plugins
30	org.apache.maven.wagon:wagon-ssh-common@1.0-beta-2	http://maven.apache.org/wagon/wagon-providers/wagon-ssh-common	resolve-plugins
31	org.apache.maven:maven-plugin-descriptor@2.0.6	http://maven.apache.org/maven-plugin-descriptor	resolve-plugins
32	org.apache.maven:maven-monitor@2.0.6	http://maven.apache.org/maven-monitor	resolve-plugins
33	org.apache.maven.wagon:wagon-ssh@1.0-beta-2	http://maven.apache.org/wagon/wagon-providers/wagon-ssh	resolve-plugins
34	com.jcraft:jsch@0.1.27	http://www.jcraft.com/jsch/	resolve-plugins
35	commons-lang:commons-lang@2.1	http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/	resolve-plugins
36	org.ow2.asm:asm@9.7	http://asm.ow2.io/	resolve-plugins
37	commons-beanutils:commons-beanutils@1.9.4	https://commons.apache.org/proper/commons-beanutils/	resolve-plugins
38	commons-logging:commons-logging@1.2	http://commons.apache.org/proper/commons-logging/	resolve-plugins
39	commons-collections:commons-collections@3.2.2	http://commons.apache.org/collections/	resolve-plugins
40	org.apache.commons:commons-digester3@3.2	http://commons.apache.org/digester/	resolve-plugins
41	org.codehaus.plexus:plexus-i18n@1.0-beta-10	http://plexus.codehaus.org/plexus-components/plexus-i18n	resolve-plugins
42	org.ow2.asm:asm-commons@9.7	http://asm.ow2.io/	resolve-plugins
43	org.ow2.asm:asm-tree@9.7	http://asm.ow2.io/	resolve-plugins
44	org.apache.maven.plugins:maven-site-plugin@3.3	http://maven.apache.org/plugins/maven-site-plugin/	resolve-plugins
45	org.apache.maven.reporting:maven-reporting-exec@1.1	http://maven.apache.org/shared/maven-reporting-exec/	resolve-plugins
46	org.apache.maven.reporting:maven-reporting-api@3.0	http://maven.apache.org/shared/maven-reporting-api/	resolve-plugins
47	org.apache.maven:maven-artifact@3.0	http://maven.apache.org/maven-artifact/	resolve-plugins
48	org.apache.maven.shared:maven-shared-utils@0.3	http://maven.apache.org/shared/maven-shared-utils/	resolve-plugins
49	com.google.code.findbugs:jsr305@2.0.1	http://findbugs.sourceforge.net/	resolve-plugins
50	org.codehaus.plexus:plexus-component-annotations@1.5.5	http://plexus.codehaus.org/plexus-containers/plexus-component-annotations/	resolve-plugins
51	org.eclipse.aether:aether-util@0.9.0.M2	http://www.eclipse.org/aether/aether-util/	resolve-plugins
52	org.apache.maven:maven-core@3.0	http://maven.apache.org/maven-core/	resolve-plugins
53	org.apache.maven:maven-repository-metadata@3.0	http://maven.apache.org/maven-repository-metadata/	resolve-plugins
54	org.apache.maven:maven-model-builder@3.0	http://maven.apache.org/maven-model-builder/	resolve-plugins
55	org.apache.maven:maven-aether-provider@3.0	http://maven.apache.org/maven-aether-provider/	resolve-plugins
56	org.codehaus.plexus:plexus-interpolation@1.14	http://plexus.codehaus.org/plexus-components/plexus-interpolation	resolve-plugins
57	org.codehaus.plexus:plexus-classworlds@2.2.3	http://plexus.codehaus.org/plexus-classworlds/	resolve-plugins
58	org.apache.maven:maven-model@3.0	http://maven.apache.org/maven-model/	resolve-plugins
59	org.apache.maven:maven-plugin-api@3.0	http://maven.apache.org/maven-plugin-api/	resolve-plugins
60	org.apache.maven:maven-settings@3.0	http://maven.apache.org/maven-settings/	resolve-plugins
61	org.apache.maven:maven-settings-builder@3.0	http://maven.apache.org/maven-settings-builder/	resolve-plugins
62	org.apache.maven:maven-archiver@2.4.2	http://maven.apache.org/shared/maven-archiver/	resolve-plugins
63	org.apache.maven.doxia:doxia-sink-api@1.4	http://maven.apache.org/doxia/doxia/doxia-sink-api/	resolve-plugins
64	org.apache.maven.doxia:doxia-logging-api@1.4	http://maven.apache.org/doxia/doxia/doxia-logging-api/	resolve-plugins
65	org.apache.maven.doxia:doxia-core@1.4	http://maven.apache.org/doxia/doxia/doxia-core/	resolve-plugins
66	xerces:xercesImpl@2.9.1	http://xerces.apache.org/xerces2-j	resolve-plugins
67	xml-apis:xml-apis@1.3.04	http://xml.apache.org/commons/components/external/	resolve-plugins
68	org.apache.httpcomponents:httpclient@4.0.2	http://hc.apache.org/httpcomponents-client	resolve-plugins
69	commons-logging:commons-logging@1.1.1	http://commons.apache.org/logging	resolve-plugins
70	commons-codec:commons-codec@1.3	http://jakarta.apache.org/commons/codec/	resolve-plugins
71	org.apache.httpcomponents:httpcore@4.0.1	http://hc.apache.org/httpcomponents-core/	resolve-plugins
72	org.apache.maven.doxia:doxia-module-xhtml@1.4	http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-xhtml/	resolve-plugins
73	org.apache.maven.doxia:doxia-module-apt@1.4	http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-apt/	resolve-plugins
74	org.apache.maven.doxia:doxia-module-xdoc@1.4	http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-xdoc/	resolve-plugins
75	org.apache.maven.doxia:doxia-module-fml@1.4	http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-fml/	resolve-plugins
76	org.apache.maven.doxia:doxia-module-markdown@1.4	http://maven.apache.org/doxia/doxia/doxia-modules/doxia-module-markdown/	resolve-plugins
77	org.ow2.asm:asm@4.1	http://asm.objectweb.org/asm/	resolve-plugins
78	org.ow2.asm:asm-tree@4.1	http://asm.objectweb.org/asm-tree/	resolve-plugins
79	org.ow2.asm:asm-analysis@4.1	http://asm.objectweb.org/asm-analysis/	resolve-plugins
80	org.ow2.asm:asm-util@4.1	http://asm.objectweb.org/asm-util/	resolve-plugins
81	org.apache.maven.doxia:doxia-decoration-model@1.4	http://maven.apache.org/doxia/doxia-sitetools/doxia-decoration-model/	resolve-plugins
82	org.apache.maven.doxia:doxia-site-renderer@1.4	http://maven.apache.org/doxia/doxia-sitetools/doxia-site-renderer/	resolve-plugins
83	org.apache.velocity:velocity-tools@2.0	http://velocity.apache.org/tools/devel/	resolve-plugins
84	commons-digester:commons-digester@1.8	http://jakarta.apache.org/commons/digester/	resolve-plugins
85	commons-chain:commons-chain@1.1	http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/	resolve-plugins
86	commons-validator:commons-validator@1.3.1	http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/	resolve-plugins
87	org.apache.struts:struts-core@1.3.8	http://struts.apache.org	resolve-plugins
88	org.apache.struts:struts-taglib@1.3.8	http://struts.apache.org	resolve-plugins
89	org.apache.struts:struts-tiles@1.3.8	http://struts.apache.org	resolve-plugins
90	commons-collections:commons-collections@3.2.1	http://commons.apache.org/collections/	resolve-plugins
91	org.apache.maven.doxia:doxia-integration-tools@1.5	http://maven.apache.org/doxia/doxia-tools/doxia-integration-tools/	resolve-plugins
92	org.apache.maven.wagon:wagon-provider-api@1.0	http://maven.apache.org/wagon/wagon-provider-api	resolve-plugins
93	org.codehaus.plexus:plexus-archiver@1.0	http://plexus.codehaus.org/plexus-components/plexus-archiver	resolve-plugins
94	org.codehaus.plexus:plexus-io@1.0	http://plexus.codehaus.org/plexus-components/plexus-io	resolve-plugins
95	org.codehaus.plexus:plexus-i18n@1.0-beta-7	http://plexus.codehaus.org/plexus-components/plexus-i18n	resolve-plugins
96	org.apache.velocity:velocity@1.5	http://velocity.apache.org/engine/releases/velocity-1.5/	resolve-plugins
97	org.codehaus.plexus:plexus-velocity@1.1.8	http://plexus.codehaus.org/plexus-components/plexus-velocity	resolve-plugins
98	org.codehaus.plexus:plexus-utils@1.5.10	http://plexus.codehaus.org/plexus-utils	resolve-plugins
99	org.mortbay.jetty:jetty@6.1.25	http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty	resolve-plugins
100	org.mortbay.jetty:servlet-api@2.5-20081211	http://jetty.mortbay.org/servlet-api	resolve-plugins
101	org.mortbay.jetty:jetty-util@6.1.25	http://www.eclipse.org/jetty/jetty-parent/project/jetty-util	resolve-plugins
102	commons-lang:commons-lang@2.5	http://commons.apache.org/lang/	resolve-plugins
103	commons-io:commons-io@1.4	http://commons.apache.org/io/	resolve-plugins
104	org.apache.maven.shared:maven-shared-incremental@1.1	http://maven.apache.org/shared/maven-shared-incremental/	resolve-plugins
105	org.ow2.asm:asm@9.7.1	http://asm.ow2.io/	resolve
106	aopalliance:aopalliance@1.0	http://aopalliance.sourceforge.net	resolve-plugins
107	commons-codec:commons-codec@1.11	http://commons.apache.org/proper/commons-codec/	resolve-plugins
108	net.sf.jtidy:jtidy@r938	http://jtidy.sourceforge.net	resolve-plugins
109	org.ow2.asm:asm-util@9.7.1	http://asm.ow2.io/	resolve
110	org.ow2.asm:asm-tree@9.7.1	http://asm.ow2.io/	resolve
111	org.ow2.asm:asm-analysis@9.7.1	http://asm.ow2.io/	resolve
112	org.apache.maven.plugins:maven-clean-plugin@2.5	http://maven.apache.org/plugins/maven-clean-plugin/	resolve-plugins
113	org.apache.maven.plugins:maven-resources-plugin@2.6	http://maven.apache.org/plugins/maven-resources-plugin/	resolve-plugins
114	classworlds:classworlds@1.1	http://classworlds.codehaus.org/	resolve-plugins
115	org.codehaus.plexus:plexus-utils@2.0.5	http://plexus.codehaus.org/plexus-utils	resolve-plugins
116	org.apache.maven.shared:maven-filtering@1.1	http://maven.apache.org/shared/maven-filtering/	resolve-plugins
117	org.codehaus.plexus:plexus-interpolation@1.13	http://plexus.codehaus.org/plexus-components/plexus-interpolation	resolve-plugins

---

Report created by dirty-waters.

Report created on 2025-03-21 10:29:56

• Tool version: 662a286b
• Project Name: chains-project/sbom.exe
• Project Version: HEAD

[algomaster99]

@randomicecube just noticed the report! Thanks! I will take a look at this later this week ;)