Open sithmein opened 2 months ago
@gdams - I think you and tianon were looking at this space recently
I have a feeling that https://github.com/anchore/syft/pull/3217 might help here, It appears to add detection support for Temurin to Syft which can be used to generate an SBOM
Jep, syft is indeed able to detect the JRE (even if it is added as Oracle). However, we have to use trivy because it adds metadata that is required for subsequent vulnerability scanning with trivy. I'll try to make the trivy developers aware of this problem. https://github.com/aquasecurity/trivy/discussions/7499
Please add the exact image (with tag) that you are using
eclipse-temurin:17-jre-alpine
Please add the version of Docker you are running
24.0.5
What happened?
We are using
eclipse-temurin:17-jre-alpine
as base for many images. We are creating SBOMs (CycloneDX) for all our images using trivy. We discovered that these SBOMs do not include the JRE (but all other APKs from the base image). The reason is likely that the JRE is not installed as an APK but extracted from a Tar archive. The question I have is whether you are aware of any SBOM creators that can still detect the JRE. Or are there any plans for providing a complete SBOM for the Docker image which we can then merge with our additions?Relevant log output
No response