Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Java archive is listed twice #2130

Closed
tafli opened this issue Sep 14, 2023 · 0 comments · Fixed by #2220
Closed

Java archive is listed twice #2130

tafli opened this issue Sep 14, 2023 · 0 comments · Fixed by #2220
Labels
bug Something isn't working

Comments

@tafli
Copy link

tafli commented Sep 14, 2023
edited
Loading

What happened:
Having a Java archive that is not named as taken from the Maven repository, it is listed as two components when scanning with Syft. One component is recognized as the correct one, the second is named like the file name. Additionally, the wrong component takes its version from the versioning information present in the jar file.

Unfortunately, this naming behavior happens, when using build plugins, namely SBT native packager. It renames dependencies with its full organizational name: jackson-core-2.15.2.jar becomes com.fasterxml.jackson.core.jackson-core-2.15.2.jar.

What you expected to happen:
The component is listed only once, with the correct name and version.

Steps to reproduce the issue:
Download a Java archive from a Maven repo, scan it with Syft (1 component), rename and rescan it (2 components):

$ wget https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.2/jackson-core-2.15.2.jar
$ syft jackson-core-2.15.2.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [1 packages]
NAME          VERSION  TYPE
jackson-core  2.15.2   java-archive

$ mv jackson-core-2.15.2.jar com.fasterxml.jackson.core.jackson-core-2.15.2.jar
$ syft com.fasterxml.jackson.core.jackson-core-2.15.2.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [2 packages]
NAME                                     VERSION  TYPE
com.fasterxml.jackson.core.jackson-core  2.15.2   java-archive
jackson-core                             2.15.2   java-archive

$ mv com.fasterxml.jackson.core.jackson-core-2.15.2.jar myFancyPackage.jar
$ syft myFancyPackage.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [2 packages]
NAME            VERSION  TYPE
jackson-core    2.15.2   java-archive
myFancyPackage  2.15.2   java-archive

Anything else we need to know?:
If a Java archive consists only out of META-INF files, the wrong component is shown only:

$ wget https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-web/3.1.3/spring-boot-starter-web-3.1.3.jar
$ syft spring-boot-starter-web-3.1.3.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [1 packages]
NAME                     VERSION  TYPE
spring-boot-starter-web  3.1.3    java-archive

$ mv spring-boot-starter-web-3.1.3.jar spring-boot.jar
$ syft spring-boot.jar
 ✔ Indexed file system                                                                                                                               /Users/abos/Downloads
 ✔ Cataloged packages              [1 packages]
NAME         VERSION  TYPE
spring-boot  3.1.3    java-archive

Environment:
Application: syft
Version: 0.90.0
BuildDate: 2023-09-11T21:22:00Z
GitCommit: b82c0ff
GitDescription: v0.90.0
Platform: darwin/amd64
GoVersion: go1.21.0
Compiler: gc
@tafli tafli added the bug Something isn't working label Sep 14, 2023
@hainenber hainenber mentioned this issue Sep 17, 2023
Closed
@wagoodman wagoodman mentioned this issue Oct 12, 2023
Merged
3 tasks
wagoodman added a commit that referenced this issue Oct 12, 2023
@wagoodman
add in-repo jar tests based on metadata to cover #2130
237cffc 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman moved this to In Review in OSS Oct 12, 2023
wagoodman added a commit that referenced this issue Oct 19, 2023
@wagoodman @spiffcs
Account for maven bundle plugin and fix filename matching (#2220)
07f1304 
* account for maven bundle plugin and fix filename matching

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add in-repo jar tests based on metadata to cover #2130

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* tests: fix test merge commit

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Oct 19, 2023
@chenrui333 chenrui333 mentioned this issue Oct 21, 2023
Merged
GijsCalis pushed a commit to GijsCalis/syft that referenced this issue Feb 19, 2024
@wagoodman @spiffcs
Account for maven bundle plugin and fix filename matching (anchore#2220)
bf0517b 
* account for maven bundle plugin and fix filename matching

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add in-repo jar tests based on metadata to cover anchore#2130

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* tests: fix test merge commit

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
1 participant
@tafli