search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.2k stars 571 forks source link

Catalog JDKs more completely #3188

Closed kzantow closed 1 month ago

kzantow commented 2 months ago

What would you like to be added: A custom cataloger specifically for JDK distributions.

Why is this needed: Today, Syft catalogs JDKs by identifying java executables with a generic binary cataloger. This works marginally well, but only is able to catalog the java executable itself. There are many other executable files and libraries associated with the JDK that are not included by this cataloging, but it would be great for Syft to be able to correctly identify these files with relationships to an identified JDK version, such as OpenJDK or Oracle JDK, etc..

Additional context: For example, in the docker official images, there are 25 instances of /opt/java/openjdk/bin/keytool, which a user can identify as being part of the openjdk but Syft does not associate with any package. If we scan the official Docker images, these files are found, with the total number of times found see:

Common OpenJDK files | Executable | Instances | | -------- | ------- | | /opt/java/openjdk/bin/keytool | 25 | | /opt/java/openjdk/bin/rmiregistry | 25 | | /opt/java/openjdk/lib/jexec | 25 | | /opt/java/openjdk/bin/jfr | 23 | | /opt/java/openjdk/bin/jrunscript | 23 | | /opt/java/openjdk/lib/jspawnhelper | 22 | | /opt/java/openjdk/lib/libawt.so | 22 | | /opt/java/openjdk/lib/libawt_headless.so | 22 | | /opt/java/openjdk/lib/libawt_xawt.so | 22 | | /opt/java/openjdk/lib/libdt_socket.so | 22 | | /opt/java/openjdk/lib/libextnet.so | 22 | | /opt/java/openjdk/lib/libfontmanager.so | 22 | | /opt/java/openjdk/lib/libinstrument.so | 22 | | /opt/java/openjdk/lib/libj2gss.so | 22 | | /opt/java/openjdk/lib/libj2pcsc.so | 22 | | /opt/java/openjdk/lib/libj2pkcs11.so | 22 | | /opt/java/openjdk/lib/libjaas.so | 22 | | /opt/java/openjdk/lib/libjava.so | 22 | | /opt/java/openjdk/lib/libjavajpeg.so | 22 | | /opt/java/openjdk/lib/libjawt.so | 22 | | /opt/java/openjdk/lib/libjdwp.so | 22 | | /opt/java/openjdk/lib/libjimage.so | 22 | | /opt/java/openjdk/lib/libjsig.so | 22 | | /opt/java/openjdk/lib/libjsound.so | 22 | | /opt/java/openjdk/lib/liblcms.so | 22 | | /opt/java/openjdk/lib/libmanagement.so | 22 | | /opt/java/openjdk/lib/libmanagement_agent.so | 22 | | /opt/java/openjdk/lib/libmanagement_ext.so | 22 | | /opt/java/openjdk/lib/libmlib_image.so | 22 | | /opt/java/openjdk/lib/libnet.so | 22 | | /opt/java/openjdk/lib/libnio.so | 22 | | /opt/java/openjdk/lib/libprefs.so | 22 | | /opt/java/openjdk/lib/librmi.so | 22 | | /opt/java/openjdk/lib/libsctp.so | 22 | | /opt/java/openjdk/lib/libsplashscreen.so | 22 | | /opt/java/openjdk/lib/libverify.so | 22 | | /opt/java/openjdk/lib/libzip.so | 22 | | /opt/java/openjdk/lib/server/libjsig.so | 22 | | /opt/java/openjdk/lib/server/libjvm.so | 22 | | /opt/java/openjdk/lib/libjli.so | 16 | | /opt/java/openjdk/lib/libjsvml.so | 15 | | /opt/java/openjdk/lib/libsyslookup.so | 15 | | /opt/java/openjdk/bin/jar | 13 | | /opt/java/openjdk/bin/jarsigner | 13 | | /opt/java/openjdk/bin/javac | 13 | | /opt/java/openjdk/bin/javadoc | 13 | | /opt/java/openjdk/bin/javap | 13 | | /opt/java/openjdk/bin/jcmd | 13 | | /opt/java/openjdk/bin/jconsole | 13 | | /opt/java/openjdk/bin/jdeps | 13 | | /opt/java/openjdk/bin/jinfo | 13 | | /opt/java/openjdk/bin/jmap | 13 | | /opt/java/openjdk/bin/jps | 13 | | /opt/java/openjdk/bin/jstack | 13 | | /opt/java/openjdk/bin/jstat | 13 | | /opt/java/openjdk/bin/jstatd | 13 | | /opt/java/openjdk/bin/serialver | 13 | | /opt/java/openjdk/bin/jdeprscan | 12 | | /opt/java/openjdk/bin/jhsdb | 12 | | /opt/java/openjdk/bin/jimage | 12 | | /opt/java/openjdk/bin/jlink | 12 | | /opt/java/openjdk/bin/jmod | 12 | | /opt/java/openjdk/bin/jshell | 12 | | /opt/java/openjdk/lib/libattach.so | 12 | | /opt/java/openjdk/lib/libsaproc.so | 12 | | /opt/java/openjdk/bin/jpackage | 11 | | /opt/java/openjdk/bin/rmid | 10 | | /opt/java/openjdk/bin/jjs | 9 | | /opt/java/openjdk/bin/pack200 | 9 | | /opt/java/openjdk/bin/unpack200 | 9 | | /opt/java/openjdk/bin/jwebserver | 8 | | /opt/java/openjdk/lib/libfreetype.so | 8 | | /opt/java/openjdk/lib/lible.so | 8 | | /opt/java/openjdk/bin/jaotc | 7 | | /opt/java/openjdk/lib/jli/libjli.so | 6 | | /opt/java/openjdk/lib/libsunec.so | 6 | | /opt/java/openjdk/lib/libunpack.so | 6 |

Many of these are prevalent enough in modern software stacks, that Syft should be able to accurately identify these files and associate them with the OpenJDK distribution, where applicable.

A potential solution is to create a Java / JDK cataloger for the distributions and runtimes themselves.

Another possibility is to augment the binary cataloger with some if-found-also-include relative paths or similar.

wagoodman commented 1 month ago

I good path appears to be using the release file that is published with multiple jdk distributions / packagings:

temurin

/opt/java/openjdk/release ``` IMPLEMENTOR="Eclipse Adoptium" IMPLEMENTOR_VERSION="Temurin-21.0.4+7" JAVA_RUNTIME_VERSION="21.0.4+7-LTS" JAVA_VERSION="21.0.4" JAVA_VERSION_DATE="2024-07-16" LIBC="gnu" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.internal.opt jdk.zipfs jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.vector jdk.internal.le jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom" OS_ARCH="aarch64" OS_NAME="Linux" SOURCE=".:git:13710926b798" BUILD_SOURCE="git:1271f10a26c47e1489a814dd2731f936a588d621" BUILD_SOURCE_REPO="https://github.com/adoptium/temurin-build.git" SOURCE_REPO="https://github.com/adoptium/jdk21u.git" FULL_VERSION="21.0.4+7-LTS" SEMANTIC_VERSION="21.0.4+7" BUILD_INFO="OS: Linux Version: 5.4.0-150-generic" JVM_VARIANT="Hotspot" JVM_VERSION="21.0.4+7-LTS" IMAGE_TYPE="JDK" ```

Zulu

/usr/lib/jvm/zulu19-ca-arm64/release Container: `azul/zulu-openjdk:19` ``` /usr/lib/jvm/zulu19-ca-arm64/release IMPLEMENTOR="Azul Systems, Inc." IMPLEMENTOR_VERSION="Zulu19.32+13-CA" JAVA_VERSION="19.0.2" JAVA_VERSION_DATE="2023-01-17" LIBC="gnu" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.zipfs jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.concurrent jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom" OS_ARCH="aarch64" OS_NAME="Linux" SOURCE=".:git:1c1f24d5f80e" ``` Packaging info: ``` $ apt list --installed | grep jdk zulu19-ca-jdk-headless/now 19.0.2-1 arm64 [installed,local] zulu19-ca-jdk/now 19.0.2-1 arm64 [installed,local] zulu19-jdk-headless/now 19.0.2-1 arm64 [installed,local] zulu19-jdk/now 19.0.2-1 arm64 [installed,local] ```

amazoncorretto

/usr/lib/jvm/java-17-amazon-corretto/release Container: `amazoncorretto:17` ``` IMPLEMENTOR="Amazon.com Inc." IMPLEMENTOR_VERSION="Corretto-17.0.12.7.1" JAVA_RUNTIME_VERSION="17.0.12+7-LTS" JAVA_VERSION="17.0.12" JAVA_VERSION_DATE="2024-07-16" LIBC="gnu" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs" OS_ARCH="aarch64" OS_NAME="Linux" SOURCE=".:git:e1b855efb571+" ``` Packaging info: ``` $ yum list installed | grep -i java java-17-amazon-corretto-devel.aarch64 1:17.0.12.7-1 @AmazonCorretto ```

redhat

/usr/lib/jvm/java-17-openjdk-17.0.12.0.7-2.el8.aarch64/release After installing `java-17-openjdk` ``` IMPLEMENTOR="Red Hat, Inc." IMPLEMENTOR_VERSION="(Red_Hat-17.0.12.0.7-1)" JAVA_RUNTIME_VERSION="17.0.12+7-LTS" JAVA_VERSION="17.0.12" JAVA_VERSION_DATE="2024-07-16" LIBC="gnu" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs" OS_ARCH="aarch64" OS_NAME="Linux" SOURCE=".:git:833f65ecb304" ```

AdoptOpenJDK (now temurin)

/opt/java/openjdk/release ``` IMPLEMENTOR="AdoptOpenJDK" IMPLEMENTOR_VERSION="AdoptOpenJDK" JAVA_VERSION="13" JAVA_VERSION_DATE="2019-09-17" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.vm.ci jdk.management jdk.unsupported jdk.internal.vm.compiler jdk.aot jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.internal.le jdk.internal.opt jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.pack jdk.rmic jdk.scripting.nashorn jdk.scripting.nashorn.shell jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported.desktop jdk.xml.dom jdk.zipfs" OS_ARCH="x86_64" OS_NAME="Linux" SOURCE=".:git:9ae5c5c153c2" ```

IBM semeru

/opt/java/openjdk/release ``` IMPLEMENTOR="IBM Corporation" IMPLEMENTOR_VERSION="17.0.12.0" JAVA_RUNTIME_VERSION="17.0.12+7" JAVA_VERSION="17.0.12" JAVA_VERSION_DATE="2024-07-16" LIBC="gnu" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.jvmstat jdk.internal.le jdk.internal.opt jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.localedata jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs openj9.criu openj9.cuda openj9.dataaccess openj9.traceformat openj9.dtfj openj9.dtfjview openj9.gpu openj9.jvm openj9.sharedclasses openj9.zosconditionhandling" OS_ARCH="aarch64" OS_NAME="Linux" SOURCE="OpenJDK:784bd66222d OpenJ9:1a6f6128aa OMR:840a9adba" BUILD_SOURCE="git:f04d3055313d878acb10deb842f530a4d58abbeb" BUILD_SOURCE_REPO="https://github.com/ibmruntimes/temurin-build.git" SOURCE_REPO="git@github.com:ibmruntimes/openj9-openjdk-jdk17.git" FULL_VERSION="17.0.12+7" SEMANTIC_VERSION="17.0.12+7" BUILD_INFO="OS: Linux Version: 5.15.0-116-generic" JVM_VARIANT="Openj9" JVM_VERSION="openj9-0.46.0" IMAGE_TYPE="JDK" ```

Bellsoft

/usr/lib/jvm/jdk-22.0.2-bellsoft-aarch64/release Container: `bellsoft/liberica-openjdk-alpine-musl` ``` IMPLEMENTOR="BellSoft" JAVA_RUNTIME_VERSION="22.0.2+11" JAVA_VERSION="22.0.2" JAVA_VERSION_DATE="2024-07-16" LIBC="musl" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.internal.opt jdk.zipfs jdk.compiler jdk.crypto.cryptoki jdk.crypto.ec jdk.dynalink jdk.internal.ed jdk.editpad jdk.internal.vm.ci jdk.graal.compiler jdk.graal.compiler.management jdk.hotspot.agent jdk.httpserver jdk.incubator.vector jdk.internal.le jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom" OS_ARCH="aarch64" OS_NAME="Linux" SOURCE=".:git:3c59d31b491b+" ```

Microsoft build of OpenJDK

/usr/lib/jvm/msopenjdk-17/release Container: `mcr.microsoft.com/openjdk/jdk:17-mariner` ``` IMPLEMENTOR="Microsoft" IMPLEMENTOR_VERSION="Microsoft-9889599" JAVA_RUNTIME_VERSION="17.0.12+7-LTS" JAVA_VERSION="17.0.12" JAVA_VERSION_DATE="2024-07-16" LIBC="gnu" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs" OS_ARCH="aarch64" OS_NAME="Linux" SOURCE=".:git:90e61ab18a94" ``` Packaging info: ``` $ rpm -qa | grep -i jdk msopenjdk-17-17.0.12-1.aarch64 ```

sapmachine

/usr/lib/jvm/sapmachine-16/release Container: `sapmachine/stable:latest` ``` IMPLEMENTOR="SAP SE" IMPLEMENTOR_VERSION="SapMachine" JAVA_VERSION="16.0.2" JAVA_VERSION_DATE="2021-07-22" LIBC="gnu" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.vm.ci jdk.management jdk.unsupported jdk.internal.vm.compiler jdk.aot jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported.desktop jdk.xml.dom jdk.zipfs" OS_ARCH="x86_64" OS_NAME="Linux" SOURCE=".:git:d3d2485b59d7" ``` Packaging info: ``` apt list --installed | grep jdk sapmachine-16-jdk/now 16.0.2 amd64 [installed,local] ```

Oracle JDK

/usr/lib/jvm/jdk-22.0.2-oracle-aarch64/release ``` docker run --rm -it oraclelinux:8 bash curl -O https://download.oracle.com/java/22/latest/jdk-22_linux-aarch64_bin.rpm rpm -ivh ./jdk*.rpm ``` ``` IMPLEMENTOR="Oracle Corporation" JAVA_RUNTIME_VERSION="22.0.2+9-70" JAVA_VERSION="22.0.2" JAVA_VERSION_DATE="2024-07-16" LIBC="gnu" MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.internal.opt jdk.zipfs jdk.compiler jdk.crypto.cryptoki jdk.crypto.ec jdk.dynalink jdk.internal.ed jdk.editpad jdk.internal.vm.ci jdk.graal.compiler jdk.graal.compiler.management jdk.hotspot.agent jdk.httpserver jdk.incubator.vector jdk.internal.le jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom" OS_ARCH="aarch64" OS_NAME="Linux" SOURCE=".:git:5b97d5323482 open:git:8153097cea20" ```

I haven't been able to find any JEPs that define this file in detail (so far only some distant references here), but for the temurin flavor, here's the PR that put in this enhancement (thus, where these fields are derived from): https://github.com/adoptium/temurin-build/pull/2049/files .

In terms of associating files with each distribution, it would be all sibling and child files found relative to the release file.

Something to note: some of these above examples are already packaged in RPMs, which we don't want to additionally catalog. Instead, we're interested in unpackaged distributions.

westonsteimel commented 1 month ago

I'm not sure if it adds anything you haven't already looked at, but I had captured some similar notes over on https://github.com/anchore/syft/issues/2422#issuecomment-2046053744

wagoodman commented 1 month ago

Indeed -- I was going to link these two issues together and close them in an upcoming PR. I'm using your notes to try and get the crafted CPEs and purl correct 🤞 .

witchcraze commented 1 month ago

This will also solve https://github.com/anchore/syft/issues/1426, I think.

And please let me share one episode, I faced on recently. We recieved light contact from Oracle about Java usage, but we can not confirm usage status immidiately, especially container environment. If Syft can detect OracleJDK, it will be important factor to use Syft.

As OracleJDK 17 under NFTC (free license) will be end soon, Oracle seems more active... https://www.theregister.com/2024/06/10/fortune_200_oracle_java_audit/