adoptium / containers

Repo containing the dockerfiles and scripts to produce the official eclipse-temurin containers.
https://hub.docker.com/_/eclipse-temurin/
Apache License 2.0
224 stars 97 forks source link

[Bug]: Java package not recognized by SBOM creators #646

Open sithmein opened 2 months ago

sithmein commented 2 months ago

Please add the exact image (with tag) that you are using

eclipse-temurin:17-jre-alpine

Please add the version of Docker you are running

24.0.5

What happened?

We are using eclipse-temurin:17-jre-alpine as base for many images. We are creating SBOMs (CycloneDX) for all our images using trivy. We discovered that these SBOMs do not include the JRE (but all other APKs from the base image). The reason is likely that the JRE is not installed as an APK but extracted from a Tar archive. The question I have is whether you are aware of any SBOM creators that can still detect the JRE. Or are there any plans for providing a complete SBOM for the Docker image which we can then merge with our additions?

Relevant log output

No response

karianna commented 2 months ago

@gdams - I think you and tianon were looking at this space recently

gdams commented 2 months ago

I have a feeling that https://github.com/anchore/syft/pull/3217 might help here, It appears to add detection support for Temurin to Syft which can be used to generate an SBOM

sithmein commented 2 months ago

Jep, syft is indeed able to detect the JRE (even if it is added as Oracle). However, we have to use trivy because it adds metadata that is required for subsequent vulnerability scanning with trivy. I'll try to make the trivy developers aware of this problem. https://github.com/aquasecurity/trivy/discussions/7499