search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.16k stars 348 forks source link

osv-scanner: Scan .jar files #9

Open oliverchang opened 2 years ago

oliverchang commented 2 years ago

The osv-scanner should be able to scan .jar files.

I'm not very familiar with this, but we could potentially match .jar files by hash against the Maven registry to get the package + version.

I think .jar files can also embed other .jar files inside as well.

zinderic commented 1 year ago

Maybe something like this? :

https://github.com/quay/claircore/blob/v1.4.13/java/jar/jar.go#L69

I don't have a lot of familiarity with it but jar is just a container format. It should be possible to extract package and version info from it. Is this what we need - all packages and versions used for all oss dependencies?

pnavato commented 11 months ago

My Docker images contain a spring-boot "fat" jar (an executable jar containing other jars) and the scanner reports only the vulnerabilities of the OS, not the ones of my Java application. On the contrary Trivy reports both.

github-actions[bot] commented 2 months ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks