syft
syft copied to clipboard
anchore
Java-Cataloger produces empty entries for Jar-Files starting with '.' and no component name in MANIFEST.MF
Stumbled upon a Bug similar to the one described in #466.
In my case, it happens when scanning a Docker Image with a couple of Jar files where one of those file starts with a . like .MyFancyLib.jar and a containing Manifest file (META-INF/MANIFEST.MF) without an Implementation-Title.
In case the file name doesn't start with a . the Syft outputs the name as the File-Name, which is fine.
To reproduce:
One File MyFancyLib1.jar containing the file ``:
Manifest-Version: 1.0
Class-Path: org.apache.commons.commons-lang3-3.12.0.jar
Another File MyFancyLib2.jar containing the file ``:
Manifest-Version: 1.0
Implementation-Title: MyFancyLib2
Implementation-Version: 1.0.0
A Dockerfile:
FROM alpine
COPY MyFancyLib.jar /opt/app/.MyFancyLib.jar
COPY MyFancyLib2.jar /opt/app/.MyFancyLib2.jar
Step 1: Create the Docker image: docker build . -t myfancyimage:1.0.0.
Step 2: Scan the image with Syft: syft docker.io/library/myfancyimage:1.0.0.
Syft Output (skipping alpine packages):
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [16 packages]
NAME VERSION TYPE
java-archive
MyFancyLib2 1.0.0 java-archive
Syft Output in CycloneDX-Format (only java packages):
{
...
"components": [
{
"type": "library",
"name": "",
"version": ""
},
{
"type": "library",
"name": "MyFancyLib2",
"version": "1.0.0"
},
...
]
...
}
Environment:
OS: MacOS Monterey (12.0.1) Syft: 0.35.0
@tafli thank you for the issue! I added a label so we can take time to validate that this is still working as you described in the reproduction steps. Once we confirm this we'll pick up the bug and make sure to get it patched in a future release. Apologies for the inconvenience here since this is a way someone could circumvent the grype vuln scanner.
Hi @tafli #466 has been fixed, has that resolved this issue too? If not, could you provide some more information, possibly with links to example .jar files we could use to validate a fix?
