cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X

Translate the entire conversation x

Dependency scanning on Windchill repos

Go to solution
avillanueva
23-Emerald I
23-Emerald I
‎Dec 05, 2025 07:47 AM
‎Dec 05, 2025 07:47 AM

Dependency scanning on Windchill repos

I've been asked to run some dependency scanning on existing repositories. From what I can tell, scanner is looking for pom.xml where we declare the packages were we reference. I know Windchill itself is based on a number of open source packages but cannot seem to find that. Is there a list of this anywhere?  I kept getting directed to the Release Advisor. Not sure what I was looking for was listed there. 

Labels:
0 Kudos
Notify Moderator
ACCEPTED SOLUTION

Accepted Solutions
tarik_p
14-Alexandrite
14-Alexandrite
(To:avillanueva)
‎Dec 05, 2025 08:08 PM
‎Dec 05, 2025 08:08 PM

@avillanueva  Let me discuss this topic from different aspects. This depends on the reason behind scanning those third-party libraries.

 

For Security Aspect

If it's for security, then PTC always tracks vulnerabilities and publishes any information in the eSupport Portal, you can configure your PTC newsletters to receive such type of information periodically to take immediate actions; this is among the reasons why CPS application updates and upgrades are important.

 

To avoid adding additional third-party or extra frameworks

Developers should not add any additional packages for many reasons(duplications, reduce security concerns, stay consistent with what the software is already using) - even if they don't know if the library exists or not in Windchill, they can rely on a concept kwell-nown in Software Engineering introduced by spring Framework (IOC container), which consists of using the imports coming from the specification not the implementation, see  Article - CS335322 - Which JPA implementation is used in Windchill PDMLink the dependency container will map them to the implementation used by the solution, because official Java APIs are only specifications (interfaces), and providers implement them through concrete classes, and for sure Windchill uses concrete implementations for the majority of Java interfaces.

 

List of Third-party packages

The list you are looking for was part of the Release Advisor but it's no longer the case, see Article - CS371035 - Development Software section listing third-party Jars and libraries is no longer available in the Software Matrices/Release Advisor in Windchill PDMLink

 

How Windchill is managing third-party packages

The way Windchill is managing third-party packages does not look so simple, they are dispersed in different folders, also because Windchill is a modular solution, maybe there are some packages only used with certain modules, but I don't believe PTC R&D will systematically include them unless if the module(that relies on them) is installed, so what I would like to say is that this list is dynamic.

 

Of course, we know how much the order of declarations matters; otherwise, it would be a nightmare since some dependencies rely on others, this is a known aspect in Java and Spring. 

 

What Windchill is using

Looks like you are looking for the pom.xml file, but as far as I know Windchill is not using Maven, it uses Apache Ant to automate tasks, the package wt.pom.sql is Windchill-specific and has nothing to do with Maven. Actually, Windchill uses many of its own libraries, the reason is that historically Windchill was developed when Java was also evolving, for instance, the ORM of Windchill is not JPA compliant; it has its own ORM called Persistence Management, Windchill is using directy Spring Core (IOC Container) but I believe only for the client architecture(JCA) since it has its own Service Delegate Mechanism, see more in this post: Solved: Re: What stack is Windchill running? - PTC Community

 

What @jbraga suggested is the right way to dig in and track dependencies and their order declarations.

 

Reference

Article - CS366061 - [Knowledge Hub] Windchill PLM - Third-Party Libraries and Jars

 

Related threads:

 

Re: Windchill Java development using Apache Maven - PTC Community

Solved: Re: Is there a list of the 3rd party software bund... - PTC Community

 

best regards and happy new year!

Tarik Wifak.

 

tarik_p_0-1764982483084.png

 

 

View solution in original post

Notify Moderator
3 REPLIES 3
jbraga
21-Topaz I
21-Topaz I
(To:avillanueva)
‎Dec 05, 2025 10:34 AM
‎Dec 05, 2025 10:34 AM

Antonio,

 

I don't believe there's a list, but you can start by looking at infoenginejars.xml and windchill3rdPartyJars.xml in Windchill/srclib to see what 3rd party libraries are used. These build ie3rdpartylibs.jar and wc3rdpartylibs.jar in Windchill/codebase/WEB-INF/lib

Notify Moderator
tarik_p
14-Alexandrite
14-Alexandrite
(To:avillanueva)
‎Dec 05, 2025 08:08 PM
‎Dec 05, 2025 08:08 PM

@avillanueva  Let me discuss this topic from different aspects. This depends on the reason behind scanning those third-party libraries.

 

For Security Aspect

If it's for security, then PTC always tracks vulnerabilities and publishes any information in the eSupport Portal, you can configure your PTC newsletters to receive such type of information periodically to take immediate actions; this is among the reasons why CPS application updates and upgrades are important.

 

To avoid adding additional third-party or extra frameworks

Developers should not add any additional packages for many reasons(duplications, reduce security concerns, stay consistent with what the software is already using) - even if they don't know if the library exists or not in Windchill, they can rely on a concept kwell-nown in Software Engineering introduced by spring Framework (IOC container), which consists of using the imports coming from the specification not the implementation, see  Article - CS335322 - Which JPA implementation is used in Windchill PDMLink the dependency container will map them to the implementation used by the solution, because official Java APIs are only specifications (interfaces), and providers implement them through concrete classes, and for sure Windchill uses concrete implementations for the majority of Java interfaces.

 

List of Third-party packages

The list you are looking for was part of the Release Advisor but it's no longer the case, see Article - CS371035 - Development Software section listing third-party Jars and libraries is no longer available in the Software Matrices/Release Advisor in Windchill PDMLink

 

How Windchill is managing third-party packages

The way Windchill is managing third-party packages does not look so simple, they are dispersed in different folders, also because Windchill is a modular solution, maybe there are some packages only used with certain modules, but I don't believe PTC R&D will systematically include them unless if the module(that relies on them) is installed, so what I would like to say is that this list is dynamic.

 

Of course, we know how much the order of declarations matters; otherwise, it would be a nightmare since some dependencies rely on others, this is a known aspect in Java and Spring. 

 

What Windchill is using

Looks like you are looking for the pom.xml file, but as far as I know Windchill is not using Maven, it uses Apache Ant to automate tasks, the package wt.pom.sql is Windchill-specific and has nothing to do with Maven. Actually, Windchill uses many of its own libraries, the reason is that historically Windchill was developed when Java was also evolving, for instance, the ORM of Windchill is not JPA compliant; it has its own ORM called Persistence Management, Windchill is using directy Spring Core (IOC Container) but I believe only for the client architecture(JCA) since it has its own Service Delegate Mechanism, see more in this post: Solved: Re: What stack is Windchill running? - PTC Community

 

What @jbraga suggested is the right way to dig in and track dependencies and their order declarations.

 

Reference

Article - CS366061 - [Knowledge Hub] Windchill PLM - Third-Party Libraries and Jars

 

Related threads:

 

Re: Windchill Java development using Apache Maven - PTC Community

Solved: Re: Is there a list of the 3rd party software bund... - PTC Community

 

best regards and happy new year!

Tarik Wifak.

 

tarik_p_0-1764982483084.png

 

 

Notify Moderator
avillanueva
23-Emerald I
23-Emerald I
(To:tarik_p)
‎Dec 08, 2025 07:42 AM
‎Dec 08, 2025 07:42 AM

The reason was a simply one. To create a SBOM and provide information for gitlab dependency scanners to do what they do.  You have given a very detailed response and thank you for your time on this. Lots to go through.

Notify Moderator
Announcements
Contact Community Management
Top Tags