Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed #2077

Closed
westonsteimel opened this issue Aug 30, 2023 · 0 comments · Fixed by #2080
Closed

Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed #2077

westonsteimel opened this issue Aug 30, 2023 · 0 comments · Fixed by #2080
Assignees
@willmurphyscode
Labels
bug Something isn't working

Comments

@westonsteimel
Copy link
Contributor

What happened:

The virtual path changes introduced as a part of #2033 has a side effect of creating weird fake packages when a java archive is named differently. An example is with https://repo1.maven.org/maven2/org/jvnet/hudson/main/hudson-war/2.2.1/hudson-war-2.2.1.war

If we run syft on the archive hudson-war-2.2.1.war, we get the results we'd expect to see with a single entry for hudson-war and a virtualPath of /hudson-war-2.2.1.war with the PURL correctly identified from the included pom.xml:

{
  "id": "07d4f39cd55d02cc",
  "name": "hudson-war",
  "version": "2.2.1",
  "type": "java-archive",
  "foundBy": "java-cataloger",
  "locations": [
    {
      "path": "/hudson-war-2.2.1.war",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "licenses": [],
  "language": "java",
  "cpes": [
    "cpe:2.3:a:hudson-war:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson-war:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson_war:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson_war:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson-war:hudson:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson_war:hudson:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:main:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:main:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson:hudson:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:hudson:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:main:hudson:2.2.1:*:*:*:*:*:*:*"
  ],
  "purl": "pkg:maven/org.jvnet.hudson.main/hudson-war@2.2.1",
  "metadataType": "JavaMetadata",
  "metadata": {
    "virtualPath": "/hudson-war-2.2.1.war",
    "manifest": {
      "main": {
        "Archiver-Version": "Plexus Archiver",
        "Build-Jdk": "1.6.0_31",
        "Built-By": "winstonp",
        "Created-By": "Apache Maven",
        "Hudson-Version": "2.2.1",
        "Implementation-Version": "2.2.1",
        "Main-Class": "Main",
        "Manifest-Version": "1.0"
      }
    },
    "pomProperties": {
      "path": "META-INF/maven/org.jvnet.hudson.main/hudson-war/pom.properties",
      "name": "",
      "groupId": "org.jvnet.hudson.main",
      "artifactId": "hudson-war",
      "version": "2.2.1"
    },
    "digest": [
      {
        "algorithm": "sha1",
        "value": "1af02241e5e37634be3be752a337a636e521483d"
      }
    ]
  }
}

However, if we simply rename that war to hudson.war and rerun, we end up with 2 nodes, one that still has hudson-war, but with a different virtualPath of /hudson.war:org.jvnet.hudson.main:hudson-war

{
  "id": "b7fc6392e2d136e0",
  "name": "hudson-war",
  "version": "2.2.1",
  "type": "java-archive",
  "foundBy": "java-cataloger",
  "locations": [
    {
      "path": "/hudson.war",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "licenses": [],
  "language": "java",
  "cpes": [
    "cpe:2.3:a:hudson-war:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson-war:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson_war:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson_war:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson-war:hudson:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson_war:hudson:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:main:hudson-war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:main:hudson_war:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:hudson:hudson:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:hudson:2.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:main:hudson:2.2.1:*:*:*:*:*:*:*"
  ],
  "purl": "pkg:maven/org.jvnet.hudson.main/hudson-war@2.2.1",
  "metadataType": "JavaMetadata",
  "metadata": {
    "virtualPath": "/hudson.war:org.jvnet.hudson.main:hudson-war",
    "pomProperties": {
      "path": "META-INF/maven/org.jvnet.hudson.main/hudson-war/pom.properties",
      "name": "",
      "groupId": "org.jvnet.hudson.main",
      "artifactId": "hudson-war",
      "version": "2.2.1"
    }
  }
}

And the other with a package called just hudson with a virtualPath of /hudson-war-2.2.1.war and with an incorrect PURL generated only from the manifest.mf file

{
  "id": "9781d968b85874ef",
  "name": "hudson",
  "version": "2.2.1",
  "type": "java-archive",
  "foundBy": "java-cataloger",
  "locations": [
    {
      "path": "/hudson.war",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "licenses": [],
  "language": "java",
  "cpes": [
    "cpe:2.3:a:hudson:hudson:2.2.1:*:*:*:*:*:*:*"
  ],
  "purl": "pkg:maven/hudson/hudson@2.2.1",
  "metadataType": "JavaMetadata",
  "metadata": {
    "virtualPath": "/hudson.war",
    "manifest": {
      "main": {
        "Archiver-Version": "Plexus Archiver",
        "Build-Jdk": "1.6.0_31",
        "Built-By": "winstonp",
        "Created-By": "Apache Maven",
        "Hudson-Version": "2.2.1",
        "Implementation-Version": "2.2.1",
        "Main-Class": "Main",
        "Manifest-Version": "1.0"
      }
    },
    "digest": [
      {
        "algorithm": "sha1",
        "value": "1af02241e5e37634be3be752a337a636e521483d"
      }
    ]
  }
}

Previous versions of syft could correctly deduplicate these and ensure that only the more correct version made it into the final SBOM, and I think we're going to need to figure out a way to restore that ability.

Environment:

  • Output of syft version: v0.88.0
  • OS (e.g: cat /etc/os-release or similar):
@westonsteimel westonsteimel added the bug Something isn't working label Aug 30, 2023
@westonsteimel westonsteimel changed the title Virtual path changes to java cataloger causing creation of fake packages when jars are renamed Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed Aug 30, 2023
@willmurphyscode willmurphyscode self-assigned this Aug 30, 2023
@willmurphyscode willmurphyscode mentioned this issue Aug 31, 2023
Merged
@Porkepix Porkepix mentioned this issue Aug 31, 2023
Merged
This was referenced Sep 1, 2023
Merged
Closed
Closed
Closed
This was referenced Sep 12, 2023
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: in some cases, try to use pom info to guess name and version to top level jar anchore/syft
2 participants
@westonsteimel @willmurphyscode