grype icon indicating copy to clipboard operation
grype copied to clipboard
verified publisher icon anchore

Unexpected logs `WARN unable to resolve java package identifier` on scanning AWS CDK

Open metametadata opened this issue 1 year ago • 1 comments

What happened:

Unexpected warnings:

# grype --name fs dir:/
...
[0001]  WARN unable to resolve java package identifier from purl="pkg:maven/software.amazon.awscdk/aws-cdk-lib@%cdk-version%": failed to unescape purl version: invalid URL escape "%"
[0001]  WARN unable to resolve java package identifier from purl="pkg:maven/software.amazon.awscdk/aws-cdk-lib@%cdk-version%": failed to unescape purl version: invalid URL escape "%"
[0001]  WARN unable to resolve java package identifier from purl="pkg:maven/software.constructs/constructs@%constructs-version%": failed to unescape purl version: invalid URL escape "%co"
[0001]  WARN unable to resolve java package identifier from purl="pkg:maven/software.constructs/constructs@%constructs-version%": failed to unescape purl version: invalid URL escape "%co"
...

What you expected to happen:

No warnings

How to reproduce it (as minimally and precisely as possible):

Dockerfile with AWS CDK installed via npm:

# https://hub.docker.com/_/debian
FROM debian:bookworm-20240812-slim

RUN set -eux \
  ; apt-get update \
  ; apt-get install -y curl \
  ; rm -rf /var/lib/apt/lists/*

RUN set -eux \
  ; curl https://deb.nodesource.com/setup_22.x | bash \
  ; apt-get install -y nodejs=22.7.0-1nodesource1 \
  ; rm -rf /var/lib/apt/lists/*

RUN set -eux \
  ; npm install -g [email protected]

RUN set -eux \
  ; curl -o install_grype.sh https://raw.githubusercontent.com/anchore/grype/main/install.sh \
  ; sh install_grype.sh -b /usr/local/bin v0.80.0 \
  ; rm install_grype.sh

Build and enter Bash in the container:

docker build -t foo .

docker run --name foo --rm -it foo bash

Run Grype inside the container:

grype --name fs dir:/

Environment:

  • Output of grype version:
root@0e345de1b6e4:/# grype version
Application:         grype
Version:             0.80.0
BuildDate:           2024-08-20T17:56:40Z
GitCommit:           205ccfb6c90edb7258a9d25995f0a59c32e48142
GitDescription:      v0.80.0
Platform:            linux/arm64
GoVersion:           go1.22.6
Compiler:            gc
Syft Version:        v1.11.1
Supported DB Schema: 5
  • OS: Debian Bookworm

metametadata avatar Sep 01 '24 20:09 metametadata

Hi @metametadata, thanks for the steps to reproduce! I see this is still happening, so I'll add this to our backlog.

willmurphyscode avatar Sep 03 '24 13:09 willmurphyscode