Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java archive is listed twice #2130

Closed
tafli opened this issue Sep 14, 2023 · 0 comments · Fixed by #2220
Closed

Java archive is listed twice #2130

tafli opened this issue Sep 14, 2023 · 0 comments · Fixed by #2220
Labels
bug Something isn't working

Comments

@tafli
Copy link

tafli commented Sep 14, 2023

What happened:
Having a Java archive that is not named as taken from the Maven repository, it is listed as two components when scanning with Syft. One component is recognized as the correct one, the second is named like the file name. Additionally, the wrong component takes its version from the versioning information present in the jar file.

Unfortunately, this naming behavior happens, when using build plugins, namely SBT native packager. It renames dependencies with its full organizational name: jackson-core-2.15.2.jar becomes com.fasterxml.jackson.core.jackson-core-2.15.2.jar.

What you expected to happen:
The component is listed only once, with the correct name and version.

Steps to reproduce the issue:
Download a Java archive from a Maven repo, scan it with Syft (1 component), rename and rescan it (2 components):

$ wget https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.2/jackson-core-2.15.2.jar
$ syft jackson-core-2.15.2.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [1 packages]
NAME          VERSION  TYPE
jackson-core  2.15.2   java-archive

$ mv jackson-core-2.15.2.jar com.fasterxml.jackson.core.jackson-core-2.15.2.jar
$ syft com.fasterxml.jackson.core.jackson-core-2.15.2.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [2 packages]
NAME                                     VERSION  TYPE
com.fasterxml.jackson.core.jackson-core  2.15.2   java-archive
jackson-core                             2.15.2   java-archive

$ mv com.fasterxml.jackson.core.jackson-core-2.15.2.jar myFancyPackage.jar
$ syft myFancyPackage.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [2 packages]
NAME            VERSION  TYPE
jackson-core    2.15.2   java-archive
myFancyPackage  2.15.2   java-archive

Anything else we need to know?:
If a Java archive consists only out of META-INF files, the wrong component is shown only:

$ wget https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-web/3.1.3/spring-boot-starter-web-3.1.3.jar
$ syft spring-boot-starter-web-3.1.3.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [1 packages]
NAME                     VERSION  TYPE
spring-boot-starter-web  3.1.3    java-archive

$ mv spring-boot-starter-web-3.1.3.jar spring-boot.jar
$ syft spring-boot.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [1 packages]
NAME         VERSION  TYPE
spring-boot  3.1.3    java-archive

Environment:
Application: syft
Version: 0.90.0
BuildDate: 2023-09-11T21:22:00Z
GitCommit: b82c0ff
GitDescription: v0.90.0
Platform: darwin/amd64
GoVersion: go1.21.0
Compiler: gc

@tafli tafli added the bug Something isn't working label Sep 14, 2023
wagoodman added a commit that referenced this issue Oct 12, 2023
wagoodman added a commit that referenced this issue Oct 12, 2023
@wagoodman wagoodman moved this to In Review in OSS Oct 12, 2023
wagoodman added a commit that referenced this issue Oct 19, 2023
* account for maven bundle plugin and fix filename matching

Signed-off-by: Alex Goodman <[email protected]>

* add in-repo jar tests based on metadata to cover #2130

Signed-off-by: Alex Goodman <[email protected]>

* tests: fix test merge commit

Signed-off-by: Christopher Phillips <[email protected]>

---------

Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Co-authored-by: Christopher Angelo Phillips <[email protected]>
Co-authored-by: Christopher Phillips <[email protected]>
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Oct 19, 2023
GijsCalis pushed a commit to GijsCalis/syft that referenced this issue Feb 19, 2024
* account for maven bundle plugin and fix filename matching

Signed-off-by: Alex Goodman <[email protected]>

* add in-repo jar tests based on metadata to cover anchore#2130

Signed-off-by: Alex Goodman <[email protected]>

* tests: fix test merge commit

Signed-off-by: Christopher Phillips <[email protected]>

---------

Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Co-authored-by: Christopher Angelo Phillips <[email protected]>
Co-authored-by: Christopher Phillips <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
1 participant