Skip to content

Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) #2039

New issue
New issue
Closed
#3257
Closed
Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant)#2039
#3257
Assignees
wagoodman
Labels
bugSomething isn't working
Milestone
Meet NTIA Minimum SBOM Requirements
@edonadei

Description

@edonadei
edonadei
opened on Aug 17, 2023

What happened:
When trying to scan a folder that contains a jar, Syft is creating a package of that jar without versionInfo.
An example can be found here: https://github.com/google/tink/tree/master/java_src/examples/android/helloworld/gradle/wrapper

It will generate an entry like this:

{
   "name": "gradle-wrapper",
   "SPDXID": "SPDXRef-Package-java-archive-gradle-wrapper-df62e5252291c51c",
   "downloadLocation": "NOASSERTION",
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "079675260ae4ff9d6bc0179c7ca1d1422af2a57c"
    }
   ],
   "sourceInfo": "acquired package info from installed java archive: java_src/examples/android/helloworld/gradle/wrapper/gradle-wrapper.jar",
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle-wrapper:gradle-wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle-wrapper:gradle_wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle_wrapper:gradle-wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:gradle_wrapper:gradle_wrapper:*:*:*:*:*:*:*:*",
     "comment": ""
    },

What you expected to happen:
I'm not sure what's the expected good answer here. When opening that Jar, there is no manifest to be scanned upon for Syft to get any additional metadata.

I suppose it would be either:

  • Not adding the jar as package as it does not give any factual information on any package
  • Failing the scan and noticing the user that the package does not has any metadata to be scanned?

Steps to reproduce the issue:

git clone https://github.com/google/tink.git
cd tink
syft .

Anything else we need to know?:
I used this checker to verify if the SBOM is compliant https://github.com/spdx/ntia-conformance-checker.

Environment:

  • Output of syft version: v.0.87.1
  • OS (e.g: cat /etc/os-release or similar): Ubuntu

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

OSS

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions