[Bug]: Java package not recognized by SBOM creators #646
Labels
bug
Something isn't working
Comments
|
@gdams - I think you and tianon were looking at this space recently |
|
I have a feeling that anchore/syft#3217 might help here, It appears to add detection support for Temurin to Syft which can be used to generate an SBOM |
|
Jep, syft is indeed able to detect the JRE (even if it is added as Oracle). However, we have to use trivy because it adds metadata that is required for subsequent vulnerability scanning with trivy. I'll try to make the trivy developers aware of this problem. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please add the exact image (with tag) that you are using
eclipse-temurin:17-jre-alpine
Please add the version of Docker you are running
24.0.5
What happened?
We are using
eclipse-temurin:17-jre-alpineas base for many images. We are creating SBOMs (CycloneDX) for all our images using trivy. We discovered that these SBOMs do not include the JRE (but all other APKs from the base image). The reason is likely that the JRE is not installed as an APK but extracted from a Tar archive.The question I have is whether you are aware of any SBOM creators that can still detect the JRE. Or are there any plans for providing a complete SBOM for the Docker image which we can then merge with our additions?
Relevant log output
No response
The text was updated successfully, but these errors were encountered: