Closed markusjnagel closed 3 weeks ago
atiouajni
commented
3 weeks ago Hello, I Have the same problem on my side. Even when specifying the pom.xml file, syft does not find the correct versions. It seems that syft does not support maven Dependency Management correctly.
wagoodman
commented
3 weeks ago The short answer to your question about what's the difference in behavior here, is because we have different catalogers enabled when it's an image scan vs a directory scan:
❯ syft cataloger list --override-default-catalogers image --select-catalogers java
Default selections:
- "image"
Selected by expressions:
- "java"
┌────────────────────────────────┬─────────────────────────────────────────────────────────────────────┐
│ CATALOGER │ TAGS │
├────────────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ graalvm-native-image-cataloger │ directory, image, installed, java, language, package │
│ java-archive-cataloger │ directory, image, installed, java, language, maven, package │
│ java-jvm-cataloger │ declared, directory, image, installed, java, jdk, jre, jvm, package │
└────────────────────────────────┴─────────────────────────────────────────────────────────────────────┘❯ syft cataloger list --override-default-catalogers directory --select-catalogers java
Default selections:
- "directory"
Selected by expressions:
- "java"
┌────────────────────────────────┬─────────────────────────────────────────────────────────────────────┐
│ CATALOGER │ TAGS │
├────────────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ graalvm-native-image-cataloger │ directory, image, installed, java, language, package │
│ java-archive-cataloger │ directory, image, installed, java, language, maven, package │
│ java-gradle-lockfile-cataloger │ declared, directory, gradle, java, language, package │
│ java-jvm-cataloger │ declared, directory, image, installed, java, jdk, jre, jvm, package │
│ java-pom-cataloger │ declared, directory, java, language, maven, package │
└────────────────────────────────┴─────────────────────────────────────────────────────────────────────┘In this case the java-pom-cataloger is picking up the deps in a directory scan, but is not used in an image scan.
$ syft -q ./ -o json | jq '.artifacts[] | select(.name == "quarkus-arc").foundBy'
java-pom-catalogerThe reason for this difference is because the java-archive-cataloger looks for evidence of installed software while the java-pom-cataloger cataloger looks for evidence of intent to install software. A pom.xml is not evidence of installed software, which is why even though the java-archive-cataloger finds the pom and parses it correctly and even has all of the dependencies in memory, they are thrown away. It is assumed that syft will be run against something that has all of your dependencies installed.
Put another way, the directory scan raised up all of the expected dependencies but without version information. This is because the version information is not present:
cat ./META-INF/maven/redhat.janus/any-java-app/pom.xml | grep -C 2 dependency <dependencies>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-resteasy</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-smallrye-openapi</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-arc</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-junit5</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.rest-assured</groupId>
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
</dependencies>However, if syft was run against the directory with all jars / against the container image after a full maven install then not only would we find all of the dependencies but also their versions too:
$ ls -1
pom.properties
pom.xmlmvn -B -T 4 dependency:copy-dependencies dependency:go-offline clean -DoutputDirectory=deps❯ tree
.
├── any-java-app-1.0-SNAPSHOT.jar
├── deps
│ ├── aesh-2.6.jar
│ ├── apiguardian-api-1.1.2.jar
│ ├── arc-2.11.3.Final.jar
│ ├── asm-9.3.jar
│ ├── asm-analysis-9.3.jar
│ ├── asm-commons-9.3.jar
│ ├── asm-tree-9.3.jar
│ ├── asm-util-9.3.jar
... (there are a lot here, so snip!)
│ ├── wagon-http-3.5.1.jar
│ ├── wagon-http-shared-3.5.1.jar
│ ├── wagon-provider-api-3.5.1.jar
│ ├── wildfly-common-1.5.4.Final-format-001.jar
│ ├── xml-path-4.5.1.jar
│ ├── xmlpull-1.1.3.1.jar
│ └── xstream-1.4.19.jar
├── pom.properties
└── pom.xml❯ syft .
✔ Indexed file system .
✔ Cataloged contents cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
├── ✔ Packages [198 packages]
├── ✔ File digests [183 files]
├── ✔ File metadata [183 locations]
└── ✔ Executables [0 executables]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME VERSION TYPE
aesh 2.6 java-archive
any-java-app 1.0-SNAPSHOT java-archive
apiguardian-api 1.1.2 java-archive
arc 2.11.3.Final java-archive
asm 9.3 java-archive
asm-analysis 9.3 java-archive
asm-commons 9.3 java-archive
asm-tree 9.3 java-archive
asm-util 9.3 java-archive
asyncutil 0.1.0 java-archive
brotli4j 1.7.1 java-archive
commons-cli 1.4 java-archive
commons-codec 1.15 java-archive
commons-io 2.11.0 java-archive
commons-lang3 3.12.0 java-archive
commons-logging-jboss-logging 1.0.0.Final java-archive
failureaccess 1.0.1 java-archive
gizmo 1.0.11.Final java-archive
groovy 3.0.9 java-archive
groovy-json 3.0.9 java-archive
groovy-xml 3.0.9 java-archive
guava 31.1-jre java-archive
guice 4.2.2-no_aop java-archive
hamcrest 2.1 java-archive
hawtjni-runtime 1.17 java-archive
httpclient 4.5.13 java-archive
httpcore 4.4.15 java-archive
httpmime 4.5.13 java-archive
jackson-annotations 2.13.3 java-archive
jackson-core 2.13.3 java-archive
jackson-databind 2.13.3 java-archive
jackson-dataformat-yaml 2.13.3 java-archive
jakarta.activation 1.2.1 java-archive
jakarta.annotation-api 1.3.5 java-archive
jakarta.el-api 3.0.3 java-archive
jakarta.enterprise.cdi-api 2.0.2 java-archive
jakarta.inject-api 1.0 java-archive
jakarta.interceptor-api 1.2.5 java-archive
jakarta.transaction-api 1.3.3 java-archive
jakarta.validation-api 2.0.2 java-archive
jandex 2.4.3.Final java-archive
jansi 1.18 java-archive
jansi-freebsd32 1.8 java-archive
jansi-freebsd64 1.8 java-archive
jansi-linux32 1.8 java-archive
jansi-linux64 1.8 java-archive
jansi-native 1.8 java-archive
jansi-osx 1.8 java-archive
jansi-windows32 1.8 java-archive
jansi-windows64 1.8 java-archive
jboss-jaxb-api_2.3_spec 2.0.0.Final java-archive
jboss-jaxrs-api_2.1_spec 2.0.1.Final java-archive
jboss-logging 3.5.0.Final java-archive
jboss-logging-annotations 2.2.1.Final java-archive
jboss-logmanager-embedded 1.0.10 java-archive
jboss-threads 3.4.2.Final java-archive
jctools-core 3.1.0 java-archive
json-path 4.5.1 java-archive
junit-jupiter 5.8.2 java-archive
junit-jupiter-api 5.8.2 java-archive
junit-jupiter-engine 5.8.2 java-archive
junit-jupiter-params 5.8.2 java-archive
junit-platform-commons 1.8.2 java-archive
junit-platform-engine 1.8.2 java-archive
junit-platform-launcher 1.8.2 java-archive
maven-artifact 3.8.6 java-archive
maven-builder-support 3.8.6 java-archive
maven-core 3.8.6 java-archive
maven-embedder 3.8.6 java-archive
maven-model 3.8.6 java-archive
maven-model-builder 3.8.6 java-archive
maven-plugin-api 3.8.6 java-archive
maven-repository-metadata 3.8.6 java-archive
maven-resolver-api 1.6.3 java-archive
maven-resolver-connector-basic 1.6.3 java-archive
maven-resolver-impl 1.6.3 java-archive
maven-resolver-provider 3.8.6 java-archive
maven-resolver-spi 1.6.3 java-archive
maven-resolver-transport-wagon 1.6.3 java-archive
maven-resolver-util 1.6.3 java-archive
maven-settings 3.8.6 java-archive
maven-settings-builder 3.8.6 java-archive
maven-shared-utils 3.3.4 java-archive
microprofile-config-api 2.0.1 java-archive
microprofile-context-propagation-api 1.2 java-archive
microprofile-openapi-api 2.0.1 java-archive
mutiny 1.6.0 java-archive
mutiny-smallrye-context-propagation 1.6.0 java-archive
mxparser 1.2.2 java-archive
netty-buffer 4.1.78.Final java-archive
netty-codec 4.1.78.Final java-archive
netty-codec-dns 4.1.78.Final java-archive
netty-codec-haproxy 4.1.78.Final java-archive
netty-codec-http 4.1.78.Final java-archive
netty-codec-http2 4.1.78.Final java-archive
netty-codec-socks 4.1.78.Final java-archive
netty-common 4.1.78.Final java-archive
netty-handler 4.1.78.Final java-archive
netty-handler-proxy 4.1.78.Final java-archive
netty-resolver 4.1.78.Final java-archive
netty-resolver-dns 4.1.78.Final java-archive
netty-transport 4.1.78.Final java-archive
netty-transport-native-unix-common 4.1.78.Final java-archive
opentest4j 1.2.0 java-archive
org-crac 0.1.1 java-archive
org.eclipse.sisu.inject 0.3.5 java-archive
org.eclipse.sisu.plexus 0.3.5 java-archive
plexus-cipher 2.0 java-archive
plexus-classworlds 2.6.0 java-archive
plexus-component-annotations 2.1.0 java-archive
plexus-interpolation 1.26 java-archive
plexus-sec-dispatcher 2.0 java-archive
plexus-utils 3.3.0 java-archive
quarkus-arc 2.11.3.Final java-archive
quarkus-arc UNKNOWN java-archive
quarkus-bootstrap-app-model 2.11.3.Final java-archive
quarkus-bootstrap-core 2.11.3.Final java-archive
quarkus-bootstrap-maven-resolver 2.11.3.Final java-archive
quarkus-bootstrap-runner 2.11.3.Final java-archive
quarkus-builder 2.11.3.Final java-archive
quarkus-class-change-agent 2.11.3.Final java-archive
quarkus-core 2.11.3.Final java-archive
quarkus-core-deployment 2.11.3.Final java-archive
quarkus-credentials 2.11.3.Final java-archive
quarkus-development-mode-spi 2.11.3.Final java-archive
quarkus-devtools-utilities 2.11.3.Final java-archive
quarkus-fs-util 0.0.9 java-archive
quarkus-ide-launcher 2.11.3.Final java-archive
quarkus-junit5 2.11.3.Final java-archive
quarkus-junit5 UNKNOWN java-archive
quarkus-junit5-properties 2.11.3.Final java-archive
quarkus-mutiny 2.11.3.Final java-archive
quarkus-netty 2.11.3.Final java-archive
quarkus-resteasy 2.11.3.Final java-archive
quarkus-resteasy UNKNOWN java-archive
quarkus-resteasy-common 2.11.3.Final java-archive
quarkus-resteasy-server-common 2.11.3.Final java-archive
quarkus-security 1.1.4.Final java-archive
quarkus-security-runtime-spi 2.11.3.Final java-archive
quarkus-smallrye-context-propagation 2.11.3.Final java-archive
quarkus-smallrye-openapi 2.11.3.Final java-archive
quarkus-smallrye-openapi UNKNOWN java-archive
quarkus-swagger-ui 2.11.3.Final java-archive
quarkus-test-common 2.11.3.Final java-archive
quarkus-vertx 2.11.3.Final java-archive
quarkus-vertx-http 2.11.3.Final java-archive
quarkus-vertx-http-dev-console-runtime-spi 2.11.3.Final java-archive
quarkus-vertx-latebound-mdc-provider 2.11.3.Final java-archive
reactive-streams 1.0.3 java-archive
readline 2.2 java-archive
rest-assured 4.5.1 java-archive
rest-assured UNKNOWN java-archive
rest-assured-common 4.5.1 java-archive
resteasy-core 4.7.5.Final java-archive
resteasy-core-spi 4.7.5.Final java-archive
slf4j-api 1.7.36 java-archive
slf4j-jboss-logmanager 1.1.0.Final java-archive
smallrye-common-annotation 1.13.0 java-archive
smallrye-common-classloader 1.13.0 java-archive
smallrye-common-constraint 1.13.0 java-archive
smallrye-common-expression 1.13.0 java-archive
smallrye-common-function 1.13.0 java-archive
smallrye-common-io 1.13.0 java-archive
smallrye-common-vertx-context 1.13.0 java-archive
smallrye-config 2.10.1 java-archive
smallrye-config-common 2.10.1 java-archive
smallrye-config-core 2.10.1 java-archive
smallrye-context-propagation 1.2.2 java-archive
smallrye-context-propagation-api 1.2.2 java-archive
smallrye-context-propagation-storage 1.2.2 java-archive
smallrye-fault-tolerance-vertx 5.5.0 java-archive
smallrye-mutiny-vertx-auth-common 2.24.1 java-archive
smallrye-mutiny-vertx-bridge-common 2.24.1 java-archive
smallrye-mutiny-vertx-core 2.24.1 java-archive
smallrye-mutiny-vertx-runtime 2.24.1 java-archive
smallrye-mutiny-vertx-uri-template 2.24.1 java-archive
smallrye-mutiny-vertx-web 2.24.1 java-archive
smallrye-mutiny-vertx-web-common 2.24.1 java-archive
smallrye-open-api-core 2.1.23 java-archive
snakeyaml 1.30 java-archive
tagsoup 1.2.1 java-archive
terminal-api 2.2 java-archive
vertx-auth-common 4.3.2 java-archive
vertx-bridge-common 4.3.2 java-archive
vertx-codegen 4.3.2 java-archive
vertx-core 4.3.2 java-archive
vertx-mutiny-generator 2.24.1 java-archive
vertx-uri-template 4.3.2 java-archive
vertx-web 4.3.2 java-archive
vertx-web-common 4.3.2 java-archive
wagon-file 3.5.1 java-archive
wagon-http 3.5.1 java-archive
wagon-http-shared 3.5.1 java-archive
wagon-provider-api 3.5.1 java-archive
wildfly-common 1.5.4.Final-format-001 java-archive
xml-path 4.5.1 java-archive
xmlpull 1.1.3.1 java-archive
xstream 1.4.19 java-archiveI hope this clears up the specifics you were asking about -- shout out if you have any additional questions or if you wanted to see different behavior please feel free to open up an enhancement issue!
Hey all,
I suppose it is my mistake, but I'm a bit at a loss here:
Building a test case, I have a small Java app (super simple with a few dependencies in the pom.xml file). Stuffing this into a container and having syft analyze it works great - however, when running syft against the file directly, I get a pretty much empty SBOM. If I unpack the *jar and let syft analyze the directory structure, it finds a little more, but missing versions (even though they are in the pom.xml )
I'm using the latest syft on Fedora40/x86. any-java-app-1.0-SNAPSHOT.zip If you want to check that behaviour, here is the jar (GH doesn't support *jar, so rename it - it's a pretty simple example).
Any hints on what I'm doing wrong (as opposed to scanning a container image with the same jar file - where I get a meaningful SBOM)?
Running it against the jar - pretty worthless result (none of the dependencies have been identified)
unpacking the jar and running it against the directory - it finds the dependencies but not their versions (which makes an SBOM pretty much useless)
My installed syft version: