Giters

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SBOM generated for JAR doesn't parsing all pom.xml

gobiltd opened this issue · comments

commented

What happened:

SBOM generation is not analyzing all pom.xml files inside the jar.

What you expected to happen:

Syft should parse all pom.xml files inside jar and list in SBOM.

Steps to reproduce the issue:

Step 1: Download artifact from maven for input
Downloaded the launcher-common-20.3.11.jar from maven.
https://repo1.maven.org/maven2/org/graalvm/sdk/launcher-common/20.3.11/launcher-common-20.3.11.jar

Step 2: Generate SBOM
syft /launcher-common-maven/launcher-common-20.3.11.jar -o syft-json=syft_bom_test.json
✔ Indexed file system /launcher-common-maven
✔ Cataloged contents f6d89c85583b2334db1f57530d05fe44f33a5eb8175cccd3dcdcff9dc16efe9b
├── ✔ Packages [0 packages]
└── ✔ Executables [0 executables]
A newer version of syft is available for download: 1.4.1 (installed version is 1.1.1)

Anything else we need to know?:
If we extract the launcher-common-20.3.11.jar, we can find multiple pom.xml file in below path.
./META-INF/maven/jline/jline/pom.xml
./META-INF/maven/org.jline/jline-reader/pom.xml
./META-INF/maven/org.jline/jline/pom.xml
./META-INF/maven/org.jline/jline-terminal-jna/pom.xml
./META-INF/maven/org.jline/graalvm-feature/pom.xml
./META-INF/maven/org.jline/jline-style/pom.xml
./META-INF/maven/org.jline/jline-remote-ssh/pom.xml
./META-INF/maven/org.jline/jline-remote-telnet/pom.xml
./META-INF/maven/org.jline/jline-builtins/pom.xml
./META-INF/maven/org.jline/jline-terminal/pom.xml
./META-INF/maven/org.jline/jline-terminal-jansi/pom.xml

These are not listed in the SBOM.

Environment:

  • Output of syft version:
    Application: syft
    Version: 1.1.1
    BuildDate: 2024-04-04T14:52:45Z
    GitCommit: 1e31356
    GitDescription: v1.1.1
    Platform: linux/amd64
    GoVersion: go1.21.8
    Compiler: gc

  • OS (e.g: cat /etc/os-release or similar):
    NAME="Oracle Linux Server"
    VERSION="7.9"

commented

Hi @gobiltd, thanks for the report. I've taken a look and the reason why we don't analyze this jar file is because it has no META-INF/MANIFEST.MF, which is an important piece of metadata for us to determine the main package name and version. I am not a Java expert and I don't know the build process that generates the launcher-common jar so I can't tell you why it is missing the MANIFEST.MF, but I can tell you that's why Syft is not finding packages. Do you control the build of this jar, or is it from upstream?

commented

@tgerla i don't have any control on this jar, Its part of upstream.

Also, noticed the similar issue in below jar as well.
https://repo1.maven.org/maven2/org/graalvm/tools/chromeinspector/21.3.1/chromeinspector-21.3.1.jar