Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SBOM information for jlink created JREs #304

Open
dmikusa opened this issue Jul 7, 2023 · 0 comments
Open

Add SBOM information for jlink created JREs #304

dmikusa opened this issue Jul 7, 2023 · 0 comments
Labels
type:enhancement A general enhancement

Comments

@dmikusa
Copy link
Contributor

dmikusa commented Jul 7, 2023

Describe the Enhancement

Presently, when we use jlink to create a custom JVM, we do not include runtime SBOM data because you're not including a full JDK or JRE, it's a hybrid. Because it's a custom JVM, it's not clear what information should go into the SBOM. Putting in a full JDK would very likely cause false positive issue detection with scanners, and not putting it means we are missing important data.

Presently, you would need to look at the build-time SBOM data to see that a JDK was used.

Possible Solution

Unsure. More investigation needs to be done to see how we can represent this situation in SBOM data. The solution needs to also be compatible across Syft and CycloneDX (i.e. it cannot be a Syft specific solution).

Motivation

More accurate SBOM information.
@dmikusa dmikusa added the type:enhancement A general enhancement label Jul 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmikusa