-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java archive is listed twice #2130
Labels
bug
Something isn't working
Comments
3 tasks
wagoodman
added a commit
that referenced
this issue
Oct 12, 2023
Signed-off-by: Alex Goodman <[email protected]>
wagoodman
added a commit
that referenced
this issue
Oct 12, 2023
Signed-off-by: Alex Goodman <[email protected]>
wagoodman
added a commit
that referenced
this issue
Oct 19, 2023
* account for maven bundle plugin and fix filename matching Signed-off-by: Alex Goodman <[email protected]> * add in-repo jar tests based on metadata to cover #2130 Signed-off-by: Alex Goodman <[email protected]> * tests: fix test merge commit Signed-off-by: Christopher Phillips <[email protected]> --------- Signed-off-by: Alex Goodman <[email protected]> Signed-off-by: Christopher Phillips <[email protected]> Co-authored-by: Christopher Angelo Phillips <[email protected]> Co-authored-by: Christopher Phillips <[email protected]>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this issue
Feb 19, 2024
* account for maven bundle plugin and fix filename matching Signed-off-by: Alex Goodman <[email protected]> * add in-repo jar tests based on metadata to cover anchore#2130 Signed-off-by: Alex Goodman <[email protected]> * tests: fix test merge commit Signed-off-by: Christopher Phillips <[email protected]> --------- Signed-off-by: Alex Goodman <[email protected]> Signed-off-by: Christopher Phillips <[email protected]> Co-authored-by: Christopher Angelo Phillips <[email protected]> Co-authored-by: Christopher Phillips <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Having a Java archive that is not named as taken from the Maven repository, it is listed as two components when scanning with Syft. One component is recognized as the correct one, the second is named like the file name. Additionally, the wrong component takes its version from the versioning information present in the jar file.
Unfortunately, this naming behavior happens, when using build plugins, namely SBT native packager. It renames dependencies with its full organizational name: jackson-core-2.15.2.jar becomes com.fasterxml.jackson.core.jackson-core-2.15.2.jar.
What you expected to happen:
The component is listed only once, with the correct name and version.
Steps to reproduce the issue:
Download a Java archive from a Maven repo, scan it with Syft (1 component), rename and rescan it (2 components):
Anything else we need to know?:
If a Java archive consists only out of META-INF files, the wrong component is shown only:
Environment:
Application: syft
Version: 0.90.0
BuildDate: 2023-09-11T21:22:00Z
GitCommit: b82c0ff
GitDescription: v0.90.0
Platform: darwin/amd64
GoVersion: go1.21.0
Compiler: gc
The text was updated successfully, but these errors were encountered: