JBom not working with OpenJ9

avermeer commented 1 year ago

Hello,

I tried using Jbom 1.2.1 on my of my machine with running Java processes. Looks like Jbom doesn't like my Open-J9 JVM:

java -version 
openjdk version "17.0.5" 2022-10-18 
IBM Semeru Runtime Open Edition 17.0.5.0 (build 17.0.5+8) 
Eclipse OpenJ9 VM 17.0.5.0 (build openj9-0.35.0, JRE 17 Linux amd64-64-Bit Compressed References 20221018_325 (JIT enabled, AOT enabled) 
OpenJ9 - e04a7f6c1 
OMR - 85a21674f 
JCL - 32d2c409a33 based on jdk-17.0.5+8)

If I try running JBom to get SBOM for all local Java processes, it fails:

java -jar:jbom-1.2.1.jar 
JVMJ9VM007E Command-line option unrecognised: -jar:jbom-1.2.1.jar 
Error: Could not create the Java Virtual Machine. 
Error: A fatal exception has occurred. Program will exit.

If I try this alternative, then after the prompt JBom don't print anything an never exit:

java -jar jbom-1.2.1.jar 
2023-01-29 21:29:20:252 TRACE --- [jbom] 
2023-01-29 21:29:20:253 TRACE --- [jbom] _ __ 
2023-01-29 21:29:20:253 TRACE --- [jbom] (_) /_ ____ ____ ___ 
2023-01-29 21:29:20:253 TRACE --- [jbom] / / __ \/ __ \/ __ `__ \ 
2023-01-29 21:29:20:254 TRACE --- [jbom] / / /_/ / /_/ / / / / / / 
2023-01-29 21:29:20:254 TRACE --- [jbom] __/ /_.___/\____/_/ /_/ /_/ 
2023-01-29 21:29:20:254 TRACE --- [jbom] /___/ 
2023-01-29 21:29:20:254 TRACE --- [jbom] 
2023-01-29 21:29:20:254 TRACE --- [jbom] by Contrast Security - https://contrastsecurity.com 
2023-01-29 21:29:20:254 TRACE --- [jbom] 
2023-01-29 21:29:20:254 TRACE --- [jbom] jbom generates SBOMs for all JVMs running on a host 
2023-01-29 21:29:20:254 TRACE --- [jbom] https://github.com/Contrast-Security-OSS/jbom 
2023-01-29 21:29:20:254 TRACE --- [jbom]

I'm running all this on CentOS 7.9:

cat /etc/centos-release 
CentOS Linux release 7.9.2009 (Core)

Am I missing somethig?

Alex

planetlevel commented 1 year ago

Try it without the colon….

java -jar jbom-1.2.1.jar

planetlevel commented 1 year ago

Any luck?

avermeer commented 1 year ago

@planetlevel as I mentioned in the ticket, already tested, JBom starts but is unable to find any running JVM (which are also running OpenJ9-based Java runtime):

If I try this alternative, then after the prompt JBom don't print anything an never exit:

java -jar jbom-1.2.1.jar 2023-01-29 21:29:20:252 TRACE --- [jbom] 2023-01-29 21:29:20:253 TRACE --- [jbom] _ 2023-01-29 21:29:20:253 TRACE --- [jbom] () / __ _ 2023-01-29 21:29:20:253 TRACE --- [jbom] / / \/ \/ ` \ 2023-01-29 21:29:20:254 TRACE --- [jbom] / / // / // / / / / / / 2023-01-29 21:29:20:254 TRACE --- [jbom] / /./__// // // 2023-01-29 21:29:20:254 TRACE --- [jbom] // 2023-01-29 21:29:20:254 TRACE --- [jbom] 2023-01-29 21:29:20:254 TRACE --- [jbom] by Contrast Security - https://contrastsecurity.com 2023-01-29 21:29:20:254 TRACE --- [jbom] 2023-01-29 21:29:20:254 TRACE --- [jbom] jbom generates SBOMs for all JVMs running on a host 2023-01-29 21:29:20:254 TRACE --- [jbom] https://github.com/Contrast-Security-OSS/jbom 2023-01-29 21:29:20:254 TRACE --- [jbom]

planetlevel commented 1 year ago

Ok, let’s see what’s going on. Can you run with —debug?

avermeer commented 1 year ago

Sure, here's the output, looks like JBom find some other local Java processes, but it fails to attach them:

java -jar jbom-1.2.1.jar --debug
2023-01-31 14:15:49:578 TRACE --- [jbom]
2023-01-31 14:15:49:579 TRACE --- [jbom]                       _ __
2023-01-31 14:15:49:579 TRACE --- [jbom]                      (_) /_  ____  ____ ___
2023-01-31 14:15:49:579 TRACE --- [jbom]                     / / __ \/ __ \/ __ `__ \
2023-01-31 14:15:49:579 TRACE --- [jbom]                    / / /_/ / /_/ / / / / / /
2023-01-31 14:15:49:580 TRACE --- [jbom]                 __/ /_.___/\____/_/ /_/ /_/
2023-01-31 14:15:49:580 TRACE --- [jbom]                /___/
2023-01-31 14:15:49:580 TRACE --- [jbom]
2023-01-31 14:15:49:580 TRACE --- [jbom]      by Contrast Security - https://contrastsecurity.com
2023-01-31 14:15:49:580 TRACE --- [jbom]
2023-01-31 14:15:49:580 TRACE --- [jbom]       jbom generates SBOMs for all JVMs running on a host
2023-01-31 14:15:49:580 TRACE --- [jbom]          https://github.com/Contrast-Security-OSS/jbom
2023-01-31 14:15:49:580 TRACE --- [jbom]
2023-01-31 14:15:49:581 DEBUG --- [jbom] Java vendor : IBM Corporation
2023-01-31 14:15:49:581 DEBUG --- [jbom] Java version: 17.0.5
2023-01-31 14:15:50:322 DEBUG --- [jbom] Adding process: 1725 --> org.apache.catalina.startup.Bootstrap start
2023-01-31 14:15:50:625 DEBUG --- [jbom] Adding process: 9036 --> com.acme.acmeinfra.acmejarstarter.JarStarter -p 300 -pid /var/run/MonitoringAgent.pid -eav ka          fka /etc/aws.properties s3-eu-west-1.amazonaws.com -oaConfig /etc
2023-01-31 14:15:50:924 DEBUG --- [jbom] Adding process: 10410 --> start.jar --module=http --module=gzip
2023-01-31 14:15:51:243 DEBUG --- [jbom] Skipping process: 32767 --> jbom-1.2.1.jar --debug
2023-01-31 14:15:51:249 DEBUG --- [jbom] Adding process: 328 --> <no information available>
2023-01-31 14:15:51:264 TRACE --- [jbom] Detected 4 local Java processes
2023-01-31 14:15:51:264 TRACE --- [jbom]   10410 (start.jar --module=http --module=gzip)
2023-01-31 14:15:51:264 TRACE --- [jbom]   1725 (org.apache.catalina.startup.Bootstrap start)
2023-01-31 14:15:51:264 TRACE --- [jbom]   328 (<no information available>)
2023-01-31 14:15:51:264 TRACE --- [jbom]   9036 (com.acme.acmeinfra.acmejarstarter.JarStarter -p 300 -pid /var/run/MonitoringAgent.pid -eav kafka /etc/aws.properties s3-eu-west-1.amazonaws.com -oaConfig /etc)
2023-01-31 14:15:51:265 TRACE --- [jbom]
2023-01-31 14:15:51:265 TRACE --- [jbom] Starting analysis...
2023-01-31 14:15:51:265 TRACE --- [jbom]
2023-01-31 14:15:51:265 TRACE --- [jbom]   1: 10410 (start.jar --module=http --module=gzip)
2023-01-31 14:15:51:267 TRACE --- [jbom]      Analyzing...
2023-01-31 14:15:54:612 TRACE --- [jbom]      Saving SBOM to /mnt/jbom/jbom-10410.json
2023-01-31 14:15:54:612 TRACE --- [jbom]
2023-01-31 14:15:54:612 TRACE --- [jbom]   2: 1725 (org.apache.catalina.startup.Bootstrap start)
2023-01-31 14:15:54:612 TRACE --- [jbom]      Analyzing...
2023-01-31 14:16:10:099 TRACE --- [jbom]      Saving SBOM to /mnt/jbom/jbom-1725.json
2023-01-31 14:16:10:099 TRACE --- [jbom]
2023-01-31 14:16:10:099 TRACE --- [jbom]   3: 328 (<no information available>)
2023-01-31 14:16:10:100 TRACE --- [jbom]      Analyzing...
Unable to attach with regular provider:
java.lang.IllegalStateException: Error during attachment using: net.bytebuddy.agent.ByteBuddyAgent$AttachmentProvider$Compound@1c9d4e08
        at net.bytebuddy.agent.ByteBuddyAgent.install(ByteBuddyAgent.java:639)
        at net.bytebuddy.agent.ByteBuddyAgent.attach(ByteBuddyAgent.java:299)
        at com.contrastsecurity.Jbom.attachWithFallback(Jbom.java:443)
        at com.contrastsecurity.Jbom.attach(Jbom.java:429)
        at com.contrastsecurity.Jbom.doLocalProcess(Jbom.java:156)
        at com.contrastsecurity.Jbom.run(Jbom.java:117)
        at picocli.CommandLine.executeUserObject(CommandLine.java:1939)
        at picocli.CommandLine.access$1300(CommandLine.java:145)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2358)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2352)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2314)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2316)
        at picocli.CommandLine.execute(CommandLine.java:2078)
        at com.contrastsecurity.Jbom.main(Jbom.java:73)
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at net.bytebuddy.agent.Attacher.install(Attacher.java:102)
        at net.bytebuddy.agent.ByteBuddyAgent.install(ByteBuddyAgent.java:634)
        ... 14 more
Caused by: com.sun.tools.attach.AttachNotSupportedException: target 328 not found
        at jdk.attach/com.ibm.tools.attach.attacher.OpenJ9VirtualMachine.attachTargetImpl(OpenJ9VirtualMachine.java:151)
        at jdk.attach/com.ibm.tools.attach.attacher.OpenJ9VirtualMachine.lambda$attachTarget$1(OpenJ9VirtualMachine.java:129)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:748)
        at jdk.attach/com.ibm.tools.attach.attacher.OpenJ9VirtualMachine.attachTarget(OpenJ9VirtualMachine.java:131)
        at jdk.attach/com.ibm.tools.attach.attacher.OpenJ9AttachProvider.attachVirtualMachine(OpenJ9AttachProvider.java:65)
        at jdk.attach/com.ibm.tools.attach.attacher.OpenJ9AttachProvider.attachVirtualMachine(OpenJ9AttachProvider.java:47)
        at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:207)
        ... 20 more
Unable to attach with fallback provider:
java.lang.IllegalStateException: No compatible attachment provider is available
        at net.bytebuddy.agent.ByteBuddyAgent.install(ByteBuddyAgent.java:628)
        at net.bytebuddy.agent.ByteBuddyAgent.attach(ByteBuddyAgent.java:299)
        at com.contrastsecurity.Jbom.attachWithFallback(Jbom.java:449)
        at com.contrastsecurity.Jbom.attach(Jbom.java:429)
        at com.contrastsecurity.Jbom.doLocalProcess(Jbom.java:156)
        at com.contrastsecurity.Jbom.run(Jbom.java:117)
        at picocli.CommandLine.executeUserObject(CommandLine.java:1939)
        at picocli.CommandLine.access$1300(CommandLine.java:145)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2358)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2352)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2314)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2316)
        at picocli.CommandLine.execute(CommandLine.java:2078)
        at com.contrastsecurity.Jbom.main(Jbom.java:73)
2023-01-31 14:16:10:110 TRACE --- [jbom]      Saving SBOM to /mnt/jbom/jbom-328.json
2023-01-31 14:16:10:110 TRACE --- [jbom]
2023-01-31 14:16:10:110 TRACE --- [jbom]   4: 9036 (com.acme.acmeinfra.acmejarstarter.JarStarter -p 300 -pid /var/run/MonitoringAgent.pid -eav kafka /etc/aws.properties s3-eu-west-1.amazonaws.com -oaConfig /etc)
2023-01-31 14:16:10:110 TRACE --- [jbom]      Analyzing...
2023-01-31 14:16:11:048 TRACE --- [jbom]      Saving SBOM to /mnt/jbom/jbom-9036.json
2023-01-31 14:16:11:048 TRACE --- [jbom]
2023-01-31 14:16:11:049 TRACE --- [jbom] jbom complete

Note: the Java Runtime installed on this Linux machine can be downloaded for free from https://developer.ibm.com/languages/java/semeru-runtimes/downloads/

planetlevel commented 1 year ago

It looks like it successfully SBOMs for three of the four processes (check the /mnt/sbom directory). Are any of them the process you were interested in? I'm not sure about 328. It looks to me like that process was gone by the time jbom tried to attach to it.

avermeer commented 1 year ago

In my /mnt/jbom directory I found 2 SBOMs.

But you probably got a good catch : some Java processes running on this Linux machine are "short-running ones"

3 of the Java processes on this machine are "long-running" ones ; including an Apache Solr server for which jbom failed to generate SBOM, probably because it exited when trying to inspect the short-running process that stopped while it was inspected.

Is there an option to make jbom more resilient to short-running java processes, i.e., make it able to skip processes just exiting to catch all least all long-running ones ?

planetlevel commented 1 year ago

Hmm... not sure if there's a good way to do that. Maybe jbom add a shutdown hook that would wait until jbom is finished. Anyone want to try implementing this? https://www.baeldung.com/jvm-shutdown-hooks

planetlevel commented 1 year ago

Closing this as jbom seems to be running fine on OpenJ9

eclipse / jbom

JBom not working with OpenJ9 #11