Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBoM of Docker image contains test dependencies #223

Open
nils-christian opened this issue Jul 10, 2023 · 1 comment
Open

SBoM of Docker image contains test dependencies #223

nils-christian opened this issue Jul 10, 2023 · 1 comment
Labels
type:question A user question

Comments

@nils-christian
Copy link

Hi,

We opened this issue in the context of the Spring Boot project, but according to the developers, the issue lies in the executable-jar framework,

Expected Behavior

The SBoM should not contain test dependencies from the Maven pom file in general.

Current Behavior

When creating the Docker image for a Maven project, the resulting SBoM files contain entries for the test dependencies.

Motivations

This is an issue as vulnerability scanners use these meta files to check the image for security violations. In our case this leads to various false positives that have to be checked manually.

Thank you and best regards

Nils
@nils-christian nils-christian mentioned this issue Jul 10, 2023
Closed
@dmikusa
Copy link
Contributor

dmikusa commented Aug 4, 2023

The Java buildpacks are not making any decisions about which JAR files from your application to include or not include in the resulting image. When you run a build, you either a.) pass in a pre-compiled JAR file or b.) the buildpack runs maven/gradle/etc... and which builds a JAR file. In either case, the buildpacks operate on that JAR file and whatever is in that JAR file ends up in your image. Thus the first, and most likely place from which unwanted JARs would come is your application's build system (i.e. gradle/maven/etc..). You can test this easily by running a build locally and looking at the contents of the JAR for the offending files.

Some buildpacks will add tools, like the Spring Boot buildpack which can add in the Spring Cloud Bindings JAR file, or an APM buildpack that installs a JAR file Agent to run the APM tools. I cannot think of any that would install testing tools off the top of my head, but if you told me specifically what JARs you're seeing I could confirm.

Also, can you tell me how you are procuring the SBOM file? There are two sets of SBOM files generated by buildpacks. The first is from build-time. It scans the application source code and it will include tools like Maven because they are present at build-time. The second is from run-time. This is a picture of what ends up in the often much smaller run-time container. If you're using the build-time SBOM then I know for a fact you'll see the build tool, but I suppose you might see other build-time only things like testing libraries as well.

@dmikusa dmikusa added the type:question A user question label Aug 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:question A user question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmikusa @nils-christian