wagoodman
commented
1 year ago curious! is a nar just a jar? That is, is it the same metadata (like with war, ear, etc) just with a different name? Or is there more metadata to parse?
Closed ZENinjaneer closed 1 year ago
wagoodman
commented
1 year ago curious! is a nar just a jar? That is, is it the same metadata (like with war, ear, etc) just with a different name? Or is there more metadata to parse?
ZENinjaneer
commented
1 year ago A nar is basically a shaded jar. It's very similar to a WAR but instead of a WEB-INF the root is META-INF (like in a JAR). Under the META-INF there are other text files that essentially have to do with licensing. A short and sweet overview can be found here: https://medium.com/hashmapinc/nifi-nar-files-explained-14113f7796fd
tgerla
commented
1 year ago Thanks for the details! I think this would be a reasonable addition to the list of archive filenames. We will add this to our backlog but please let us know if you want to submit a pull request yourself--we can help you through the process if you need.
We think the only things that need to change are a new glob for .nar files here:
And in the list here:
shanedell
commented
1 year ago @tgerla Could I tackle this? If @ZENinjaneer doesn't plan to of course
wagoodman
commented
1 year ago @Shanedell have at it!
https://github.com/anchore/syft/blob/b20310eaf847c259beb4fe5128c842bd8aa4d4fc/syft/pkg/cataloger/java/archive_filename.go#L111
could you please add "nar" to this case statement so it can support grype scanning NiFi nars?