syft
syft copied to clipboard
anchore
Name and version wrongly calculated for Eclipse plugins
When running syft on a directory containing Eclipse plugins (JARs) the detected component names and versions are wrong.
Example: org.eclipse.osgi_3.18.0.v20220516-2155.jar --> name: org.eclipse.osgi_3.18.0.v20220516 --> version: 2155
It seems that name and version detection is purely done on naming convention. Which does not fit in this case. Is there any way to force syft to look into meta data (e.g. MANIFEST.MF)?
Steps to replicate:
- Download those two JAR files 1.1 https://download.eclipse.org/releases/2022-06/202206151000/plugins/org.eclipse.osgi_3.18.0.v20220516-2155.jar 1.2. https://download.eclipse.org/releases/2022-06/202206151000/plugins/org.eclipse.osgi.util_3.7.0.v20220427-2144.jar
- Put them into one directory
- Run syft . -o cyclonedx-json=example.sbom.json
The correct name would be the Bundle-SymbolicName and version Bundle-Version. I have already seen that you make use of them in https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/parse_java_manifest.go.
I also encountered this issue with certain "nl" bundles from Eclipse Babel. For example, "org.eclipse.core.filesystem.linux.x86_64.nl_ja_4.22.0.v20211218020001.jar" gets split with name "org.eclipse.core.filesystem.linux.x86" and version "64.nl_ja_4.22.0.v20211218020001".
Hi @glatuske and @benken-parasoft, thanks for the details here, I believe I've reproduced this problem locally and I will run it by the rest of the team as soon as we are able. Thanks and stay tuned!
I would like to highlight that there are two cases. In one case, at least part of the version is appended to the name. In the other case, part of the name is prepended to the version.
I currently work around both issues using XSLT to transform the report from Syft. I use regular expressions with XPath "matches" and "replace" functions to try to detect both cases and then write out corrected names and versions.