SBOM generated for JAR doesn't parsing all pom.xml
gobiltd opened this issue · comments
What happened:
SBOM generation is not analyzing all pom.xml files inside the jar.
What you expected to happen:
Syft should parse all pom.xml files inside jar and list in SBOM.
Steps to reproduce the issue:
Step 1: Download artifact from maven for input
Downloaded the launcher-common-20.3.11.jar from maven.
https://repo1.maven.org/maven2/org/graalvm/sdk/launcher-common/20.3.11/launcher-common-20.3.11.jar
Step 2: Generate SBOM
syft /launcher-common-maven/launcher-common-20.3.11.jar -o syft-json=syft_bom_test.json
✔ Indexed file system /launcher-common-maven
✔ Cataloged contents f6d89c85583b2334db1f57530d05fe44f33a5eb8175cccd3dcdcff9dc16efe9b
├── ✔ Packages [0 packages]
└── ✔ Executables [0 executables]
A newer version of syft is available for download: 1.4.1 (installed version is 1.1.1)
Anything else we need to know?:
If we extract the launcher-common-20.3.11.jar, we can find multiple pom.xml file in below path.
./META-INF/maven/jline/jline/pom.xml
./META-INF/maven/org.jline/jline-reader/pom.xml
./META-INF/maven/org.jline/jline/pom.xml
./META-INF/maven/org.jline/jline-terminal-jna/pom.xml
./META-INF/maven/org.jline/graalvm-feature/pom.xml
./META-INF/maven/org.jline/jline-style/pom.xml
./META-INF/maven/org.jline/jline-remote-ssh/pom.xml
./META-INF/maven/org.jline/jline-remote-telnet/pom.xml
./META-INF/maven/org.jline/jline-builtins/pom.xml
./META-INF/maven/org.jline/jline-terminal/pom.xml
./META-INF/maven/org.jline/jline-terminal-jansi/pom.xml
These are not listed in the SBOM.
Environment:
-
Output of
syft version
:
Application: syft
Version: 1.1.1
BuildDate: 2024-04-04T14:52:45Z
GitCommit: 1e31356
GitDescription: v1.1.1
Platform: linux/amd64
GoVersion: go1.21.8
Compiler: gc -
OS (e.g:
cat /etc/os-release
or similar):
NAME="Oracle Linux Server"
VERSION="7.9"
Hi @gobiltd, thanks for the report. I've taken a look and the reason why we don't analyze this jar file is because it has no META-INF/MANIFEST.MF, which is an important piece of metadata for us to determine the main package name and version. I am not a Java expert and I don't know the build process that generates the launcher-common jar so I can't tell you why it is missing the MANIFEST.MF, but I can tell you that's why Syft is not finding packages. Do you control the build of this jar, or is it from upstream?
@tgerla i don't have any control on this jar, Its part of upstream.
Also, noticed the similar issue in below jar as well.
https://repo1.maven.org/maven2/org/graalvm/tools/chromeinspector/21.3.1/chromeinspector-21.3.1.jar