search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.29k stars 578 forks source link

SBOM generated for JAR doesn't parsing all pom.xml #2873

Open gobiltd opened 6 months ago

gobiltd commented 6 months ago

What happened:

SBOM generation is not analyzing all pom.xml files inside the jar.

What you expected to happen:

Syft should parse all pom.xml files inside jar and list in SBOM.

Steps to reproduce the issue:

Step 1: Download artifact from maven for input Downloaded the launcher-common-20.3.11.jar from maven. https://repo1.maven.org/maven2/org/graalvm/sdk/launcher-common/20.3.11/launcher-common-20.3.11.jar

Step 2: Generate SBOM syft /launcher-common-maven/launcher-common-20.3.11.jar -o syft-json=syft_bom_test.json ✔ Indexed file system /launcher-common-maven ✔ Cataloged contents f6d89c85583b2334db1f57530d05fe44f33a5eb8175cccd3dcdcff9dc16efe9b ├── ✔ Packages [0 packages] └── ✔ Executables [0 executables] A newer version of syft is available for download: 1.4.1 (installed version is 1.1.1)

Anything else we need to know?: If we extract the launcher-common-20.3.11.jar, we can find multiple pom.xml file in below path. ./META-INF/maven/jline/jline/pom.xml ./META-INF/maven/org.jline/jline-reader/pom.xml ./META-INF/maven/org.jline/jline/pom.xml ./META-INF/maven/org.jline/jline-terminal-jna/pom.xml ./META-INF/maven/org.jline/graalvm-feature/pom.xml ./META-INF/maven/org.jline/jline-style/pom.xml ./META-INF/maven/org.jline/jline-remote-ssh/pom.xml ./META-INF/maven/org.jline/jline-remote-telnet/pom.xml ./META-INF/maven/org.jline/jline-builtins/pom.xml ./META-INF/maven/org.jline/jline-terminal/pom.xml ./META-INF/maven/org.jline/jline-terminal-jansi/pom.xml

These are not listed in the SBOM.

Environment:

tgerla commented 6 months ago

Hi @gobiltd, thanks for the report. I've taken a look and the reason why we don't analyze this jar file is because it has no META-INF/MANIFEST.MF, which is an important piece of metadata for us to determine the main package name and version. I am not a Java expert and I don't know the build process that generates the launcher-common jar so I can't tell you why it is missing the MANIFEST.MF, but I can tell you that's why Syft is not finding packages. Do you control the build of this jar, or is it from upstream?

gobiltd commented 6 months ago

@tgerla i don't have any control on this jar, Its part of upstream.

Also, noticed the similar issue in below jar as well. https://repo1.maven.org/maven2/org/graalvm/tools/chromeinspector/21.3.1/chromeinspector-21.3.1.jar

willmurphyscode commented 1 month ago

This is still a bug even with --enrich java. Adding needs-investigation so that we can try to understand what's going on here.

willmurphyscode commented 1 month ago

Idea for how to investigate: It's possible that because these JARs have a pom.xml but not a pom.properties, and the Syft cataloger is expecting to find a pom.properties?