phoenixadb
commented
1 year ago Same here, by analyzing a Docker image containing a Springboot applications. The JAR analyzer doesn't look inside the /BOOT-INF/lib directory for embedded JARs. This could be reproduce with any working Springboot JAR embedding JARs. Example of Springboot JAR structure: https://docs.spring.io/spring-boot/docs/current/reference/html/executable-jar.html The best way would be to inspect recursively the JAR contained inside. Another one would be to parse the classpath.idx which references the JARs. Example of classpath.idx content:
- "BOOT-INF/lib/swagger-models-1.5.20.jar"
- "BOOT-INF/lib/jackson-module-jaxb-annotations-2.13.4.jar"
- "BOOT-INF/lib/jackson-annotations-2.13.4.jar"
- "BOOT-INF/lib/jackson-datatype-jdk8-2.13.4.jar"
- "BOOT-INF/lib/jackson-module-parameter-names-2.13.4.jar"
- "BOOT-INF/lib/jackson-core-2.13.4.jar"
- "BOOT-INF/lib/jackson-datatype-joda-2.13.4.jar"
hi,I am using this program to recognize Java language files. During the recognition process, I found that the version of the jar package of the basic Java library cannot be recognized, such as () US_export_policy.jar
charsets.jar
cldrdata.jar
dnsns.jar
icedtea-sound.jar jaccess.jar java-atk-wrapper.jar jce.jar jsse.jar 2 local_policy.jar localedata.jar management-agent.jar /usr/share/elasticsearch/lib/plugin-cli-5.6.12.jar 2 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/sunec.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/sunjce_provider.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/sunpkcs11.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/zipfs.jar