Closed abelsromero closed 1 year ago
Trivy requires 3 fields: groupID
, artifactID
and version
.
We define these fields from MANIFEST.MF here: https://github.com/aquasecurity/go-dep-parser/blob/9cd0336b884cbc6ac93493f1751a7c2d85ae7d13/pkg/java/jar/parse.go#L399-L446
I can see the following in META-INF/MANIFEST.MF
There is no groupID
in this MANIFEST.MF
.
It seems Implementation-Vendor-Id
was deprecated in Java 8 https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Main_Attributes and in Java 11 is no longer mentioned. The closest Implementation-Vendor
https://docs.oracle.com/en/java/javase/11/docs/specs/jar/jar.html#manifest-specification is more descriptive.
@abelsromero Thanks for the information! I remember even Implementation-Vendor
is not standardized well, and it was hard to extract groupID and artifactID. But it's been a while since I looked into it. It is worth giving it another shot.
@DmitriyLewen Would you take a look?
@abelsromero thanks for info! @knqyf263 of course, i will check this.
Spring is not going to be using those and build is done in Gradle, which kind-of also discards the pom.properties.
On the bringht side, I added to my personal backlog to check sboms though, which may be an alternative for buildpack images.
I downloaded some of most popular java projects from maven repository and checked out MANIFEST.MF files:
commons-lang3-3.12.0.jar:
Bundle-SymbolicName: org.apache.commons.lang3
Implementation-Vendor: The Apache Software Foundation
jackson-databind-2.14.1.jar:
Bundle-SymbolicName: com.fasterxml.jackson.core.jackson-databind
Implementation-Vendor-Id: com.fasterxml.jackson.core
Implementation-Vendor: FasterXML
junit-4.13.2.jar:
Implementation-Vendor: JUnit
Implementation-Vendor-Id: junit
logback-classic-1.4.5.jar:
Specification-Vendor: QOS.ch
Implementation-Vendor: QOS.ch
Bundle-SymbolicName: ch.qos.logback.classic
kotlin-stdlib-common-1.8.0.jar:
Implementation-Vendor: JetBrains
People seem to use organization name (or something like that), but it doesn't equal GroupID
.
We can use Implementation-Vendor
in case, when Implementation-Vendor-ID
and Bundle-SymbolicName
don't exist.
@knqyf263 wdyt? does that make sense?
@DmitriyLewen Yes, it sounds good, although it may not help us so much.
I wonder if it would be possible to integrate the index (as seen https://github.com/aquasecurity/trivy/issues/3421#issuecomment-1385902897) so users can download it like you can with the trivy-db. Of course, I realize that may not be simple at all.
@DmitriyLewen Yes, it sounds good, although it may not help us so much.
It will not help much, there is no standard entry. And apparently vendors change their custom entries often.
I looked into a newer Spring MANIFEST.ML
:
Manifest-Version: 1.0
Implementation-Title: Core starter, including auto-configuration suppo
rt, logging and YAML
Automatic-Module-Name: spring.boot.starter
Implementation-Version: 2.6.6
Built-By: Spring
Spring-Boot-Jar-Type: dependencies-starter
Build-Jdk-Spec: 1.8
The group ID is in the Automatic-Module-Name
entry.
A better way is to cache the search results like Trivy could cache the database, see my comment https://github.com/aquasecurity/trivy/issues/3421#issuecomment-1383836520
are you sure it's a GroupID?
Like for this project GroupID == org.springframework.boot
spring.boot.starter
is the artifactID
are you sure it's a GroupID? Like for this project GroupID ==
org.springframework.boot
spring.boot.starter
is the artifactID
You are right, sorry. However, it is only an example for changing custom entry names. Also in this MANIFEST.ML
there is no artifact ID in the Implementation-Title
.
Related to @DmitriyLewen post https://github.com/aquasecurity/trivy/issues/3421#issuecomment-1381514618 some of the jar versions not being detected are wellknown Java libraries like Spring framework, and they seem to contain the information.
I can see the following in
META-INF/MANIFEST.MF
Running in debug I see many other that seem are not recognized. So what is exactly the expected information Trivy requires?
Could this be used to improve artifact recognition and reduce remote calls?