Open dbrugman opened 2 weeks ago
An initial look shows that:
javax.inject
: this is missing all identifying information, so will probably never be correctly. There is a chance that an online lookup may yield results here, however, it isn't clear what data source to use (it is probably not maven central). At a surface level this appears to be part of the JDK (this should be confirmed though).java-drive-core
: we think that this is being skipped since it's missing a pom.properties file (this should also be confirmed, but gives a staring place for development)datafaker
: I can't tell why this is being skipped!Thanks for reporting!
What happened: When scanning Docker images coming with many Java libraries (*.jar files), I noticed that some were either missing in the resulting SBOM, or were present but with the wrong name.
What you expected to happen: I would expect all Java libraries to get detected and included in the SBOM with the correct names.
Steps to reproduce the issue: Create a Docker image using this Dockerfile:
Create an image:
Create an SBOM and search for the presence of Java libraries:
Only 2 out of the 4 libraries are detected:
And note that the name of the
java-driver-core-shaded
library is incorrectly shown as justcore
.Anything else we need to know?:
Environment:
Output of
syft version
: Application: syft Version: 1.14.0 BuildDate: 2024-10-07T20:40:39Z GitCommit: ccbee94b876240284c25c8931c6233fc71a5b7fb GitDescription: v1.14.0 Platform: linux/amd64 GoVersion: go1.22.7 Compiler: gcOS (e.g:
cat /etc/os-release
or similar): NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal