Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Syft does not handle the case of parsing a jar with multiple poms #2231

Merged
merged 4 commits into from
Nov 1, 2023

Conversation

coheigea
Copy link
Contributor

@coheigea coheigea commented Oct 16, 2023

The restriction to only parse one pom.xml / pom.properties in the archive fails for certain jars that shade multiple dependencies into the jar. For example:

https://repo1.maven.org/maven2/org/apache/directory/api/api-all/2.0.0/

which has:

./META-INF/maven/org.apache.directory.api/api-ldap-extras-codec-api/pom.xml
./META-INF/maven/org.apache.directory.api/api-all/pom.xml
./META-INF/maven/org.apache.directory.api/api-ldap-schema-converter/pom.xml
./META-INF/maven/org.apache.directory.api/api-ldap-extras-trigger/pom.xml
./META-INF/maven/org.apache.directory.api/api-ldap-extras-sp/pom.xml
./META-INF/maven/org.apache.directory.api/api-util/pom.xml
./META-INF/maven/org.apache.directory.api/api-ldap-net-mina/pom.xml
./META-INF/maven/org.apache.directory.api/api-ldap-codec-standalone/pom.xml
./META-INF/maven/org.apache.directory.api/api-ldap-extras-util/pom.xml
./META-INF/maven/org.apache.directory.api/api-ldap-extras-aci/pom.xml

Syft does end up finding the license for api-all anyway, because of a LICENSE file included in the archive, but otherwise wouldn't find a license as it's not proceeding to the loop to find the correct pom.

@coheigea coheigea force-pushed the coheigea/multiple-poms branch 2 times, most recently from b9621dc to e5b90b1 Compare October 20, 2023 05:24
@coheigea
Copy link
Contributor Author

@wagoodman Rebased this after #2220 was merged, if you could take a look please?

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
@coheigea coheigea force-pushed the coheigea/multiple-poms branch from e5b90b1 to 1940b7e Compare October 31, 2023 09:49
@coheigea
Copy link
Contributor Author

rebased again

@spiffcs
Copy link
Contributor

spiffcs commented Oct 31, 2023

@coheigea - thanks for rebasing this! Since this code change didn't break any tests I think I'm going to take your example package and write a quick unit test that validates the change and keeps us covered going forward. Let me see if I can get that in today and then I'll 🟢 and merge this one too =)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs enabled auto-merge (squash) November 1, 2023 16:58
@spiffcs spiffcs merged commit 26cdbfc into anchore:main Nov 1, 2023
10 checks passed
@coheigea coheigea deleted the coheigea/multiple-poms branch November 2, 2023 08:36
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
anchore#2231)

---------

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants