cyclonedx-gradle-plugin icon indicating copy to clipboard operation
cyclonedx-gradle-plugin copied to clipboard
verified publisher icon CycloneDX

Unable to scan library in Web-INF/ Lib

Open tech-surajrk opened this issue 2 years ago • 8 comments

@stevespringett - Is there a way to scan the legacy libraries which are present in Web-INF/Lib but not part of build.gradle.

Currently when I use cyclonedx, it generates bom for all the libraries defined in build.gradle but if there is any library not part of build.gradle, it excludes those libraries from BOM

So I want to know if there is any way to define a path in build.grqdle so that cyclonedx will generate bom with libraries that is present in that path? Or is there any other solution that you can recommend?

tech-surajrk avatar May 23 '23 19:05 tech-surajrk

I don't think that's possible today with the gradle plugin. @prabhu, does cdxgen support this?

stevespringett avatar May 23 '23 20:05 stevespringett

@stevespringett Yes, cdxgen supports -t jar mode. However, it is not possible to combine this with java, so needs some enhancement and testing.

https://github.com/CycloneDX/cdxgen/blob/ef453ca771c4481b771f5dcd8db9aaef44025abe/index.js#L897

prabhu avatar May 23 '23 20:05 prabhu

@stevespringett Yes, cdxgen supports -t jar mode. However, it is not possible to combine this with java, so needs some enhancement and testing.

https://github.com/CycloneDX/cdxgen/blob/ef453ca771c4481b771f5dcd8db9aaef44025abe/index.js#L897

@prabhu My requirement is only to scan jar libraries from build.gradle + the jar libraries which are present in specific path which is not part of build.gradle.

I tried using cdxgen also but still it is also not scanning any jar library outside build.gradle. I dont know if I am missing any settings that I have to add in build.gradle to scan jar libraries from a path

tech-surajrk avatar May 24 '23 04:05 tech-surajrk

@tech-surajrk Could you share the cdxgen command used? Did you specify -t jar?

prabhu avatar May 24 '23 06:05 prabhu

@tech-surajrk Could you share the cdxgen command used? Did you specify -t jar?

@prabhu using '-t jar ' - I am able to generate bom but the group name for each component is coming as undefined or blank. Hence Dependency Track is not able to map any cve against the component Is there any way to generate correct group name for each component?

tech-surajrk avatar May 24 '23 19:05 tech-surajrk

@tech-surajrk What you're describing is a problem that is a bit more complex to solve. Essentially we need a mechanism to match an artifact to its identifier. There are a few techniques.

  • Parse the META-INF/MANIFEST.MF in the jar file and try. This is the current cdxgen approach which is quite imprecise and doesn't work for legacy jars
  • Have a hash of all jars in the world and compare to find all the properties. This approach is taken by trivy and a few commercial tools. It might work, but not fool-proof
  • Have a semantic fingerprint of all jars in the world and try to predict the closest match. Theoretical and coming to cdxgen this year if all goes well

So at this point, trivy is your best bet.

prabhu avatar May 24 '23 19:05 prabhu

I'd like to mention syfts' approach, which uses the filename as well as MANIFEST.MF. It's not perfect but it seems much more accurate than cdxgen, as most jars use the name-version.jar convention. I also strongly suspect that cdxgen's manifest parsing logic could be much improved, although vendors do lots of weird, out-of-spec things with manifest files so I don't necessarily blame cdxgen for having issue parsing these.

Eiim avatar Jun 13 '23 15:06 Eiim

@Eiim cdxgen also uses the filename as a fallback. Could you file a ticket on cdxgen about the parsing logic improvements? Happy to take it up.

prabhu avatar Jun 13 '23 15:06 prabhu