SBOM generated for JAR doesn't list dependencies #2076
Comments
|
Syft has two modes of scanning: image scans (looking for evidence of already installed software) and directory scans (looking for declarations to install software). Taking a look at the jar contents you'll only see class files for the The class files found strongly correlate with only the source from the google-cloud-bigquery repo. I assume for this to function that the remaining dependencies are on CLASSPATH in the deployed destination. If that's the case, then a container containing all of those jars + this one should yield all of the dependencies. When scanning with a directory scan, we include dependency information found within the pom.xml since this is in the context of a source repo (which is a looser set of requirements). Given the above context about the two different scan types, does this address the problem you reported? Or are there other scan modes that you'd find more useful (say combining these two existing modes, or another approach)? |
tgerla
added
question
|
We'll go ahead and close this issue but please let us know if you have any more questions! Thanks. |
What happened:
Dependencies are missing when syft is used to generate an SBOM for a JAR.
Based on this bug I thought that if the JAR contains a pom.xml file, that it will be used to detect dependencies, but that doesn't seem to be the case here.
What you expected to happen:
The dependencies are listed in the SBOM, ideally with versions.
Steps to reproduce the issue:
Building the JAR for an example application and an SBOM:
We don't see any of the dependencies referenced in the SBOM.
However, if we generate the SBOM from the directory containing the JARs pom.xml, we do see dependencies by cataloged (albeit missing versions):
Anything else we need to know?:
Environment:
syft version: 0.87.1cat /etc/os-releaseor similar): debianThe text was updated successfully, but these errors were encountered: