If the pom.xml doesnt explicitly set the scope or version and uses dependencyManagement, witness does not output it in the attestation. i.e.:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>${quarkus.platform.group-id}</groupId>
<artifactId>${quarkus.platform.artifact-id}</artifactId>
<version>${quarkus.platform.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>${quarkus.platform.group-id}</groupId>
<artifactId>quarkus-camel-bom</artifactId>
<version>${quarkus.platform.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<!-- Core -->
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-arc</artifactId>
</dependency>
<dependency>
<groupId>org.apache.camel.quarkus</groupId>
<artifactId>camel-quarkus-core</artifactId>
</dependency>
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>jsr305</artifactId>
<version>3.0.2</version>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-container-image-docker</artifactId>
</dependency>
<dependency>
<groupId>io.rest-assured</groupId>
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
<version>5.2.1</version>
<scope>test</scope>
</dependency>
</dependencies>
{
"type": "https://witness.dev/attestations/maven/v0.1",
"attestation": {
"groupid": "org.acme",
"artifactid": "cats-and-dogs",
"version": "1.0.0-SNAPSHOT",
"projectname": "",
"dependencies": [
{
"groupid": "io.quarkus",
"artifactid": "quarkus-arc",
"version": "",
"scope": ""
},
{
"groupid": "org.apache.camel.quarkus",
"artifactid": "camel-quarkus-core",
"version": "",
"scope": ""
},
{
"groupid": "com.google.code.findbugs",
"artifactid": "jsr305",
"version": "3.0.2",
"scope": ""
},
{
"groupid": "io.quarkus",
"artifactid": "quarkus-container-image-docker",
"version": "",
"scope": ""
},
{
"groupid": "io.rest-assured",
"artifactid": "rest-assured",
"version": "",
"scope": "test"
},
{
"groupid": "org.apache.httpcomponents.client5",
"artifactid": "httpclient5",
"version": "5.2.1",
"scope": "test"
}
]
},
"starttime": "2023-09-06T10:48:14.932748+01:00",
"endtime": "2023-09-06T10:48:14.934408+01:00"
}
I'd of expected the version/scope to be included.