Presently, when we use jlink to create a custom JVM, we do not include runtime SBOM data because you're not including a full JDK or JRE, it's a hybrid. Because it's a custom JVM, it's not clear what information should go into the SBOM. Putting in a full JDK would very likely cause false positive issue detection with scanners, and not putting it means we are missing important data.
Presently, you would need to look at the build-time SBOM data to see that a JDK was used.
Possible Solution
Unsure. More investigation needs to be done to see how we can represent this situation in SBOM data. The solution needs to also be compatible across Syft and CycloneDX (i.e. it cannot be a Syft specific solution).
Describe the Enhancement
Presently, when we use
jlinkto create a custom JVM, we do not include runtime SBOM data because you're not including a full JDK or JRE, it's a hybrid. Because it's a custom JVM, it's not clear what information should go into the SBOM. Putting in a full JDK would very likely cause false positive issue detection with scanners, and not putting it means we are missing important data.Presently, you would need to look at the build-time SBOM data to see that a JDK was used.
Possible Solution
Unsure. More investigation needs to be done to see how we can represent this situation in SBOM data. The solution needs to also be compatible across Syft and CycloneDX (i.e. it cannot be a Syft specific solution).
Motivation
More accurate SBOM information.