Github (SPDX-SBom) SBOMs do not handle Tycho. This can incur hidden vulnerabilities in all eclipse projects

Basic information

Project name: All eclipse classic (tycho) projects hosted in github.

Project id: {id}

What are the affected versions?

(If known)

Details of the issue

Github insights shows the sbom of a project, this is useful for vulnerability management. It does not show tycho/p2 dependencies. This hides dependencies, and thus vulnerabilities. Dependabot will not work either. (Please describe the issue)

Steps to reproduce

(How one can reproduce the issue - this is very important) Put an eclipse project in github.

Do you know any mitigations of the issue?

Use mvn --dependency-list or tree. (Like disabling a configuration option, for example)

Sorry if this is a false positive, I think it's a legit vuln.