karianna
commented
2 months ago @gdams - I think you and tianon were looking at this space recently
Open sithmein opened 2 months ago
karianna
commented
2 months ago @gdams - I think you and tianon were looking at this space recently
gdams
commented
1 month ago I have a feeling that https://github.com/anchore/syft/pull/3217 might help here, It appears to add detection support for Temurin to Syft which can be used to generate an SBOM
sithmein
commented
1 month ago Jep, syft is indeed able to detect the JRE (even if it is added as Oracle). However, we have to use trivy because it adds metadata that is required for subsequent vulnerability scanning with trivy. I'll try to make the trivy developers aware of this problem. https://github.com/aquasecurity/trivy/discussions/7499
Please add the exact image (with tag) that you are using
eclipse-temurin:17-jre-alpine
Please add the version of Docker you are running
24.0.5
What happened?
We are using
eclipse-temurin:17-jre-alpineas base for many images. We are creating SBOMs (CycloneDX) for all our images using trivy. We discovered that these SBOMs do not include the JRE (but all other APKs from the base image). The reason is likely that the JRE is not installed as an APK but extracted from a Tar archive. The question I have is whether you are aware of any SBOM creators that can still detect the JRE. Or are there any plans for providing a complete SBOM for the Docker image which we can then merge with our additions?Relevant log output
No response