Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Catalog JDKs more completely #3188

Closed
kzantow opened this issue Sep 3, 2024 · 4 comments · Fixed by #3217
Closed

Catalog JDKs more completely #3188

kzantow opened this issue Sep 3, 2024 · 4 comments · Fixed by #3217
Assignees
Labels
enhancement New feature or request unknowns things syft does not detect

Comments

@kzantow
Copy link
Contributor

kzantow commented Sep 3, 2024

What would you like to be added:
A custom cataloger specifically for JDK distributions.

Why is this needed:
Today, Syft catalogs JDKs by identifying java executables with a generic binary cataloger. This works marginally well, but only is able to catalog the java executable itself. There are many other executable files and libraries associated with the JDK that are not included by this cataloging, but it would be great for Syft to be able to correctly identify these files with relationships to an identified JDK version, such as OpenJDK or Oracle JDK, etc..

Additional context:
For example, in the docker official images, there are 25 instances of /opt/java/openjdk/bin/keytool, which a user can identify as being part of the openjdk but Syft does not associate with any package. If we scan the official Docker images, these files are found, with the total number of times found see:

Common OpenJDK files
Executable Instances
/opt/java/openjdk/bin/keytool 25
/opt/java/openjdk/bin/rmiregistry 25
/opt/java/openjdk/lib/jexec 25
/opt/java/openjdk/bin/jfr 23
/opt/java/openjdk/bin/jrunscript 23
/opt/java/openjdk/lib/jspawnhelper 22
/opt/java/openjdk/lib/libawt.so 22
/opt/java/openjdk/lib/libawt_headless.so 22
/opt/java/openjdk/lib/libawt_xawt.so 22
/opt/java/openjdk/lib/libdt_socket.so 22
/opt/java/openjdk/lib/libextnet.so 22
/opt/java/openjdk/lib/libfontmanager.so 22
/opt/java/openjdk/lib/libinstrument.so 22
/opt/java/openjdk/lib/libj2gss.so 22
/opt/java/openjdk/lib/libj2pcsc.so 22
/opt/java/openjdk/lib/libj2pkcs11.so 22
/opt/java/openjdk/lib/libjaas.so 22
/opt/java/openjdk/lib/libjava.so 22
/opt/java/openjdk/lib/libjavajpeg.so 22
/opt/java/openjdk/lib/libjawt.so 22
/opt/java/openjdk/lib/libjdwp.so 22
/opt/java/openjdk/lib/libjimage.so 22
/opt/java/openjdk/lib/libjsig.so 22
/opt/java/openjdk/lib/libjsound.so 22
/opt/java/openjdk/lib/liblcms.so 22
/opt/java/openjdk/lib/libmanagement.so 22
/opt/java/openjdk/lib/libmanagement_agent.so 22
/opt/java/openjdk/lib/libmanagement_ext.so 22
/opt/java/openjdk/lib/libmlib_image.so 22
/opt/java/openjdk/lib/libnet.so 22
/opt/java/openjdk/lib/libnio.so 22
/opt/java/openjdk/lib/libprefs.so 22
/opt/java/openjdk/lib/librmi.so 22
/opt/java/openjdk/lib/libsctp.so 22
/opt/java/openjdk/lib/libsplashscreen.so 22
/opt/java/openjdk/lib/libverify.so 22
/opt/java/openjdk/lib/libzip.so 22
/opt/java/openjdk/lib/server/libjsig.so 22
/opt/java/openjdk/lib/server/libjvm.so 22
/opt/java/openjdk/lib/libjli.so 16
/opt/java/openjdk/lib/libjsvml.so 15
/opt/java/openjdk/lib/libsyslookup.so 15
/opt/java/openjdk/bin/jar 13
/opt/java/openjdk/bin/jarsigner 13
/opt/java/openjdk/bin/javac 13
/opt/java/openjdk/bin/javadoc 13
/opt/java/openjdk/bin/javap 13
/opt/java/openjdk/bin/jcmd 13
/opt/java/openjdk/bin/jconsole 13
/opt/java/openjdk/bin/jdeps 13
/opt/java/openjdk/bin/jinfo 13
/opt/java/openjdk/bin/jmap 13
/opt/java/openjdk/bin/jps 13
/opt/java/openjdk/bin/jstack 13
/opt/java/openjdk/bin/jstat 13
/opt/java/openjdk/bin/jstatd 13
/opt/java/openjdk/bin/serialver 13
/opt/java/openjdk/bin/jdeprscan 12
/opt/java/openjdk/bin/jhsdb 12
/opt/java/openjdk/bin/jimage 12
/opt/java/openjdk/bin/jlink 12
/opt/java/openjdk/bin/jmod 12
/opt/java/openjdk/bin/jshell 12
/opt/java/openjdk/lib/libattach.so 12
/opt/java/openjdk/lib/libsaproc.so 12
/opt/java/openjdk/bin/jpackage 11
/opt/java/openjdk/bin/rmid 10
/opt/java/openjdk/bin/jjs 9
/opt/java/openjdk/bin/pack200 9
/opt/java/openjdk/bin/unpack200 9
/opt/java/openjdk/bin/jwebserver 8
/opt/java/openjdk/lib/libfreetype.so 8
/opt/java/openjdk/lib/lible.so 8
/opt/java/openjdk/bin/jaotc 7
/opt/java/openjdk/lib/jli/libjli.so 6
/opt/java/openjdk/lib/libsunec.so 6
/opt/java/openjdk/lib/libunpack.so 6

Many of these are prevalent enough in modern software stacks, that Syft should be able to accurately identify these files and associate them with the OpenJDK distribution, where applicable.

A potential solution is to create a Java / JDK cataloger for the distributions and runtimes themselves.

Another possibility is to augment the binary cataloger with some if-found-also-include relative paths or similar.

@kzantow kzantow added the enhancement New feature or request label Sep 3, 2024
@kzantow kzantow added the unknowns things syft does not detect label Sep 4, 2024
@wagoodman wagoodman moved this to Ready in OSS Sep 9, 2024
@wagoodman wagoodman self-assigned this Sep 9, 2024
@wagoodman wagoodman moved this from Ready to In Progress in OSS Sep 9, 2024
@wagoodman
Copy link
Contributor

wagoodman commented Sep 9, 2024

I good path appears to be using the release file that is published with multiple jdk distributions / packagings:

temurin

/opt/java/openjdk/release
IMPLEMENTOR="Eclipse Adoptium"
IMPLEMENTOR_VERSION="Temurin-21.0.4+7"
JAVA_RUNTIME_VERSION="21.0.4+7-LTS"
JAVA_VERSION="21.0.4"
JAVA_VERSION_DATE="2024-07-16"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.internal.opt jdk.zipfs jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.vector jdk.internal.le jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom"
OS_ARCH="aarch64"
OS_NAME="Linux"
SOURCE=".:git:13710926b798"
BUILD_SOURCE="git:1271f10a26c47e1489a814dd2731f936a588d621"
BUILD_SOURCE_REPO="https://github.com/adoptium/temurin-build.git"
SOURCE_REPO="https://github.com/adoptium/jdk21u.git"
FULL_VERSION="21.0.4+7-LTS"
SEMANTIC_VERSION="21.0.4+7"
BUILD_INFO="OS: Linux Version: 5.4.0-150-generic"
JVM_VARIANT="Hotspot"
JVM_VERSION="21.0.4+7-LTS"
IMAGE_TYPE="JDK"

Zulu

/usr/lib/jvm/zulu19-ca-arm64/release

Container: azul/zulu-openjdk:19

/usr/lib/jvm/zulu19-ca-arm64/release
IMPLEMENTOR="Azul Systems, Inc."
IMPLEMENTOR_VERSION="Zulu19.32+13-CA"
JAVA_VERSION="19.0.2"
JAVA_VERSION_DATE="2023-01-17"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.zipfs jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.concurrent jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom"
OS_ARCH="aarch64"
OS_NAME="Linux"
SOURCE=".:git:1c1f24d5f80e"

Packaging info:

$ apt list --installed | grep jdk

zulu19-ca-jdk-headless/now 19.0.2-1 arm64 [installed,local]
zulu19-ca-jdk/now 19.0.2-1 arm64 [installed,local]
zulu19-jdk-headless/now 19.0.2-1 arm64 [installed,local]
zulu19-jdk/now 19.0.2-1 arm64 [installed,local]

amazoncorretto

/usr/lib/jvm/java-17-amazon-corretto/release

Container: amazoncorretto:17

IMPLEMENTOR="Amazon.com Inc."
IMPLEMENTOR_VERSION="Corretto-17.0.12.7.1"
JAVA_RUNTIME_VERSION="17.0.12+7-LTS"
JAVA_VERSION="17.0.12"
JAVA_VERSION_DATE="2024-07-16"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs"
OS_ARCH="aarch64"
OS_NAME="Linux"
SOURCE=".:git:e1b855efb571+"

Packaging info:

$ yum list installed | grep -i java

java-17-amazon-corretto-devel.aarch64  1:17.0.12.7-1             @AmazonCorretto

redhat

/usr/lib/jvm/java-17-openjdk-17.0.12.0.7-2.el8.aarch64/release

After installing java-17-openjdk

IMPLEMENTOR="Red Hat, Inc."
IMPLEMENTOR_VERSION="(Red_Hat-17.0.12.0.7-1)"
JAVA_RUNTIME_VERSION="17.0.12+7-LTS"
JAVA_VERSION="17.0.12"
JAVA_VERSION_DATE="2024-07-16"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs"
OS_ARCH="aarch64"
OS_NAME="Linux"
SOURCE=".:git:833f65ecb304"

AdoptOpenJDK (now temurin)

/opt/java/openjdk/release
IMPLEMENTOR="AdoptOpenJDK"
IMPLEMENTOR_VERSION="AdoptOpenJDK"
JAVA_VERSION="13"
JAVA_VERSION_DATE="2019-09-17"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.vm.ci jdk.management jdk.unsupported jdk.internal.vm.compiler jdk.aot jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.internal.le jdk.internal.opt jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.pack jdk.rmic jdk.scripting.nashorn jdk.scripting.nashorn.shell jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported.desktop jdk.xml.dom jdk.zipfs"
OS_ARCH="x86_64"
OS_NAME="Linux"
SOURCE=".:git:9ae5c5c153c2"

IBM semeru

/opt/java/openjdk/release
IMPLEMENTOR="IBM Corporation"
IMPLEMENTOR_VERSION="17.0.12.0"
JAVA_RUNTIME_VERSION="17.0.12+7"
JAVA_VERSION="17.0.12"
JAVA_VERSION_DATE="2024-07-16"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.jvmstat jdk.internal.le jdk.internal.opt jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.localedata jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs openj9.criu openj9.cuda openj9.dataaccess openj9.traceformat openj9.dtfj openj9.dtfjview openj9.gpu openj9.jvm openj9.sharedclasses openj9.zosconditionhandling"
OS_ARCH="aarch64"
OS_NAME="Linux"
SOURCE="OpenJDK:784bd66222d OpenJ9:1a6f6128aa OMR:840a9adba"
BUILD_SOURCE="git:f04d3055313d878acb10deb842f530a4d58abbeb"
BUILD_SOURCE_REPO="https://github.com/ibmruntimes/temurin-build.git"
SOURCE_REPO="[email protected]:ibmruntimes/openj9-openjdk-jdk17.git"
FULL_VERSION="17.0.12+7"
SEMANTIC_VERSION="17.0.12+7"
BUILD_INFO="OS: Linux Version: 5.15.0-116-generic"
JVM_VARIANT="Openj9"
JVM_VERSION="openj9-0.46.0"
IMAGE_TYPE="JDK"

Bellsoft

/usr/lib/jvm/jdk-22.0.2-bellsoft-aarch64/release

Container: bellsoft/liberica-openjdk-alpine-musl

IMPLEMENTOR="BellSoft"
JAVA_RUNTIME_VERSION="22.0.2+11"
JAVA_VERSION="22.0.2"
JAVA_VERSION_DATE="2024-07-16"
LIBC="musl"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.internal.opt jdk.zipfs jdk.compiler jdk.crypto.cryptoki jdk.crypto.ec jdk.dynalink jdk.internal.ed jdk.editpad jdk.internal.vm.ci jdk.graal.compiler jdk.graal.compiler.management jdk.hotspot.agent jdk.httpserver jdk.incubator.vector jdk.internal.le jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom"
OS_ARCH="aarch64"
OS_NAME="Linux"
SOURCE=".:git:3c59d31b491b+"

Microsoft build of OpenJDK

/usr/lib/jvm/msopenjdk-17/release

Container: mcr.microsoft.com/openjdk/jdk:17-mariner

IMPLEMENTOR="Microsoft"
IMPLEMENTOR_VERSION="Microsoft-9889599"
JAVA_RUNTIME_VERSION="17.0.12+7-LTS"
JAVA_VERSION="17.0.12"
JAVA_VERSION_DATE="2024-07-16"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs"
OS_ARCH="aarch64"
OS_NAME="Linux"
SOURCE=".:git:90e61ab18a94"

Packaging info:

$ rpm -qa | grep -i jdk
msopenjdk-17-17.0.12-1.aarch64

sapmachine

/usr/lib/jvm/sapmachine-16/release

Container: sapmachine/stable:latest

IMPLEMENTOR="SAP SE"
IMPLEMENTOR_VERSION="SapMachine"
JAVA_VERSION="16.0.2"
JAVA_VERSION_DATE="2021-07-22"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.vm.ci jdk.management jdk.unsupported jdk.internal.vm.compiler jdk.aot jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported.desktop jdk.xml.dom jdk.zipfs"
OS_ARCH="x86_64"
OS_NAME="Linux"
SOURCE=".:git:d3d2485b59d7"

Packaging info:

apt list --installed | grep jdk

sapmachine-16-jdk/now 16.0.2 amd64 [installed,local]

Oracle JDK

/usr/lib/jvm/jdk-22.0.2-oracle-aarch64/release
docker run --rm -it oraclelinux:8 bash
curl -O https://download.oracle.com/java/22/latest/jdk-22_linux-aarch64_bin.rpm
rpm -ivh ./jdk*.rpm

IMPLEMENTOR="Oracle Corporation"
JAVA_RUNTIME_VERSION="22.0.2+9-70"
JAVA_VERSION="22.0.2"
JAVA_VERSION_DATE="2024-07-16"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.internal.opt jdk.zipfs jdk.compiler jdk.crypto.cryptoki jdk.crypto.ec jdk.dynalink jdk.internal.ed jdk.editpad jdk.internal.vm.ci jdk.graal.compiler jdk.graal.compiler.management jdk.hotspot.agent jdk.httpserver jdk.incubator.vector jdk.internal.le jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom"
OS_ARCH="aarch64"
OS_NAME="Linux"
SOURCE=".:git:5b97d5323482 open:git:8153097cea20"

I haven't been able to find any JEPs that define this file in detail (so far only some distant references here), but for the temurin flavor, here's the PR that put in this enhancement (thus, where these fields are derived from): https://github.com/adoptium/temurin-build/pull/2049/files .

In terms of associating files with each distribution, it would be all sibling and child files found relative to the release file.

Something to note: some of these above examples are already packaged in RPMs, which we don't want to additionally catalog. Instead, we're interested in unpackaged distributions.

@westonsteimel
Copy link
Contributor

westonsteimel commented Sep 9, 2024

I'm not sure if it adds anything you haven't already looked at, but I had captured some similar notes over on #2422 (comment)

@wagoodman
Copy link
Contributor

wagoodman commented Sep 9, 2024

Indeed -- I was going to link these two issues together and close them in an upcoming PR. I'm using your notes to try and get the crafted CPEs and purl correct 🤞 .

@witchcraze
Copy link
Contributor

This will also solve #1426, I think.

And please let me share one episode, I faced on recently.
We recieved light contact from Oracle about Java usage, but we can not confirm usage status immidiately, especially container environment.
If Syft can detect OracleJDK, it will be important factor to use Syft.

As OracleJDK 17 under NFTC (free license) will be end soon, Oracle seems more active...
https://www.theregister.com/2024/06/10/fortune_200_oracle_java_audit/

@wagoodman wagoodman moved this from In Progress to In Review in OSS Sep 10, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request unknowns things syft does not detect
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

4 participants