Questions: why do submodules of v4.1.32 have SBOM of metrics-parent?

[algomaster99]

Hi! I am trying to investigate why v4.1.32 is non-reproducible by me. On Reproducible Central, the reason is that there is a change in MANIFEST. However, locally, I also see that there is a difference in the CycloneDX SBOM generated.

If you see the reference SBOM pushed to Maven Central here, you observe that it is has many more components than what metrics-core has. The only non-test scoped component in metrics-core v4.1.32 is:

  <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-api</artifactId>
      <version>${slf4j.version}</version>
  </dependency> 

But it includes all the submodules of metrics-parent and their dependencies.

I am running the following mvn command along with Zulu JDK 1.8.0_442 and mvn 3.9.6

 mvn -Prelease-sign-artifacts clean package -DskipTests -Dmaven.javadoc.skip -Dgpg.skip -V -e org.apache.maven.plugins:maven-artifact-plugin:3.5.1:compare -Dbuildinfo.reproducible -Dcompare.fail=false

[joschi]

Dropwizard Metrics 4.1.x is unmaintained and there won't be any changes or new releases of that branch.

See https://github.com/dropwizard/metrics/tree/release/4.2.x#versions for the currently maintained branches.

If you can reproduce the issue on the Dropwizard Metrics 4.2.x branch, we can take a look at it.

[algomaster99]

Hi! Sorry for overlooking and opening an issue instead of a discussion.

there won't be any changes or new releases of that branch.

I understand that, but I was trying to understand the reason for non-reproducibility behind that release. I don't intend to introduce any changes to it. The recent releases in 4.2.x branch are indeed reproducible.

[joschi]

It could be a bug in one of the Maven plugins used to generate the metadata.
If you want to investigate in that direction, please go ahead. 😅

Looking at which attribute is causing the issue (Export-Package), my best guess is the Apache Felix Maven Bundle Plugin (BND).

[algomaster99]

Looking at which attribute is causing the issue (Export-Package), my best guess is the Apache Felix Maven Bundle Plugin (BND).

Yes, this is in the MANIFEST and now has been fixed.

The diff I get between SBOMs shows that all components are deleted except metrics-core and slf4j which are indeed the components of metrics-core.

I have attached the SBOMs to reproduce the issue:
On Maven Central: metrics-core-4.1.32-cyclonedx.json:bom.json
Rebuild: metrics-core-4.1.32-cyclonedx.json:bom.json

[algomaster99]

I started investigating v4.2.30 which is the latest release. I see that that the rebuild script here skips generation of CycloneDX SBOM. When I remove that option, I see that the SBOMs generated are different for metrics-parent and they are not identical to the one here.

I observe that hashes for io.dropwizard.metrics/metrics-jetty12@4.2.30?type=jar, io.dropwizard.metrics/metrics-healthchecks@4.2.30?type=jar, io.dropwizard.metrics/metrics-jvm@4.2.30?type=jar and some more components are missing. Can you guess why this would be the case? Am I missing anything in the maven command I am trying?

mvn  -Prelease-sign-artifacts clean package -DskipTests -Dmaven.javadoc.skip -DperformRelease=true  -Dgpg.skip  -V -e org.apache.maven.plugins:maven-artifact-plugin:3.6.0:compare  -Dbuildinfo.reproducible