Open oliverchang opened 2 years ago
Maybe something like this? :
https://github.com/quay/claircore/blob/v1.4.13/java/jar/jar.go#L69
I don't have a lot of familiarity with it but jar is just a container format. It should be possible to extract package and version info from it. Is this what we need - all packages and versions used for all oss dependencies?
My Docker images contain a spring-boot "fat" jar (an executable jar containing other jars) and the scanner reports only the vulnerabilities of the OS, not the ones of my Java application. On the contrary Trivy reports both.
This issue has not had any activity for 60 days and will be automatically closed in two weeks
The osv-scanner should be able to scan .jar files.
I'm not very familiar with this, but we could potentially match .jar files by hash against the Maven registry to get the package + version.
I think .jar files can also embed other .jar files inside as well.