OkHTTP library - how to list in SBOM? #119
Description
Hi,
I am evaluating at the moment how I can create SBOMs out of an APK and upload them to dependency-track to check for known vulnerabilities. I tried today blint.
I've got a simple Android app that has one vulnerable dependency that I added via build.gradle.kts.
implementation ("com.squareup.okhttp3:okhttp:4.8.0")
The library is imported and I am creating a simple GET request by using OkHTTP. Afterwards I created an APK and scanned it with blint (without and with --deep):
$ blint sbom -i app-debug.apk -o app-debug.sbom
$ blint sbom -i app-debug.apk -o app-debug-deep.sbom --deepWhen I search now for OkHttp in the 1st scan it cannot be found and there is no result.
$ grep -iRn okhttp app-debug.sbomIn the sbom generated with deep scan there are 1,854 matches for "okhttp". If I upload the SBOM with deepscan into dependency-track it will show me 51 dependencies, but it will not list OkHttp. So I hasn't identified OkHTTP as dependency in the APK.
My understanding is that the --deep is grepping through the DEX files to identify classes for dependencies, would this help to create an SBOM? Or is --deep not useful to create a SBOM?
And is it possible in this scenario to list a dependency that was added by Gradle into the SBOM created by blint?