Some Java libraries are not being detected, or being mis-identified

[dbrugman]

What happened: When scanning Docker images coming with many Java libraries (*.jar files), I noticed that some were either missing in the resulting SBOM, or were present but with the wrong name.

What you expected to happen: I would expect all Java libraries to get detected and included in the SBOM with the correct names.

Steps to reproduce the issue: Create a Docker image using this Dockerfile:

FROM ubuntu:latest

# These will NOT be detected by Syft 1.14.0:
ADD https://repo1.maven.org/maven2/net/datafaker/datafaker/1.9.0/datafaker-1.9.0.jar /java/
ADD https://repo1.maven.org/maven2/javax/inject/javax.inject/1/javax.inject-1.jar /java/

# This one will be detected but with the WRONG NAME:
ADD https://repo1.maven.org/maven2/com/datastax/oss/java-driver-core-shaded/4.17.0/java-driver-core-shaded-4.17.0.jar /java/

# This one WILL be detected correctly by Syft 1.14.0:
ADD https://repo1.maven.org/maven2/com/google/guava/guava/33.3.1-jre/guava-33.3.1-jre.jar /java/

Create an image:

docker build -t testjava .

Create an SBOM and search for the presence of Java libraries:

syft scan testjava | grep java-archive

Only 2 out of the 4 libraries are detected:

core                 4.17.0                       java-archive
guava                33.3.1-jre                   java-archive

And note that the name of the java-driver-core-shaded library is incorrectly shown as just core.

Anything else we need to know?:

Environment:

• Output of syft version: Application: syft Version: 1.14.0 BuildDate: 2024-10-07T20:40:39Z GitCommit: ccbee94b876240284c25c8931c6233fc71a5b7fb GitDescription: v1.14.0 Platform: linux/amd64 GoVersion: go1.22.7 Compiler: gc

• OS (e.g: cat /etc/os-release or similar): NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal

[wagoodman]

An initial look shows that:

• javax.inject: this is missing all identifying information, so will probably never be correctly. There is a chance that an online lookup may yield results here, however, it isn't clear what data source to use (it is probably not maven central). At a surface level this appears to be part of the JDK (this should be confirmed though).
• java-drive-core: we think that this is being skipped since it's missing a pom.properties file (this should also be confirmed, but gives a staring place for development)
• datafaker: I can't tell why this is being skipped!

Thanks for reporting!