search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.23k stars 574 forks source link

Java pom.xml , no version #2266

Closed bj1116 closed 11 months ago

bj1116 commented 1 year ago

Java pom.xml , no version . Example: pom.xml image

syft.exe xxx/ image

tgerla commented 1 year ago

Hi @bj1116, can you share more information about your environment, what version of Syft you are running, and can you please share the steps and files so that we can reproduce this problem locally? Thanks!

coheigea commented 1 year ago

Please attach the pom.xml file

DarkAtra commented 11 months ago

@tgerla @coheigea I'm currently running into the same issue with this project.

The project builds a docker image via the spring boot maven plugin, which internally uses paketo buildpacks and they on the other hand rely on syft to generate the SBOM. For the most recent build syft 0.94.0 was used.

This is the SBOM entry that was generated for the spring-boot-starter-web dependency:

{
 "id": "4bb281bc258e5bed",
 "name": "spring-boot-starter-web",
 "version": "",
 "type": "java-archive",
 "foundBy": "java-pom-cataloger",
 "locations": [
  {
   "path": "/META-INF/maven/de.idealo.security/spring-endpoint-exporter/pom.xml",
   "annotations": {
    "evidence": "primary"
   }
  }
 ],
 "licenses": [],
 "language": "java",
 "cpes": [
  "cpe:2.3:a:spring-boot-starter-web:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot-starter-web:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot_starter_web:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot_starter_web:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot-starter:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot-starter:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot_starter:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot_starter:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:springframework:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:springframework:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring-boot:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring_boot:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:spring:spring_boot_starter_web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:boot:spring-boot-starter-web:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:boot:spring_boot_starter_web:*:*:*:*:*:*:*:*"
 ],
 "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-web",
 "metadataType": "JavaMetadata",
 "metadata": {
  "virtualPath": "",
  "pomProperties": {
   "path": "",
   "name": "",
   "groupId": "org.springframework.boot",
   "artifactId": "spring-boot-starter-web",
   "version": ""
  }
 }
}

and this is the pom used in that build: https://github.com/idealo/spring-endpoint-exporter

Note that the project is relying on the spring-boot-starter-parent to manage all versions for spring related dependencies. The expected version for the web starter would be 3.2.0.

You should be able to reproduce the result by:

  1. Cloning the repository: https://github.com/idealo/spring-endpoint-exporter
  2. Building the docker image locally via: ./mvnw -B -ntp spring-boot:build-image
  3. Inspecting the resulting docker image's SBOM: /layers/sbom/launch/paketo-buildpacks_executable-jar/sbom.cdx.json

You could also just inspect the pre-built docker image that's hosted on github.

See also: https://github.com/paketo-buildpacks/spring-boot/issues/421

coheigea commented 11 months ago

Ah yes there is a gap here when a dependency version is declared in a parent pom. I'll take a look at it.

coheigea commented 11 months ago

Fix submitted here: https://github.com/anchore/syft/pull/2423

It needs the configuration:

java:
   # when running across pom.xml files that could have more information, syft will
   # explicitly search maven for license information by querying the online pom when this is true eg:
   # https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-test/3.1.5/spring-boot-starter-test-3.1.5.pom
   # this option is helpful for when the parent pom has this information,
   # but it is not accessible from within the final built artifact
   maven-url: "https://repo1.maven.org/maven2"
   max-parent-recursive-depth: 8
   use-network: true
tgerla commented 11 months ago

Thanks, @coheigea. I'll close this issue. Please feel free to open a new one if anyone runs into more trouble. Thanks!