-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syft incorrectly identifying jruby jar files #2877
Comments
Hey @joshbressers, I'm curious to learn more... I'm seeing an issue with scans of jruby as well, and I'm curious if my issue is related to this one. In my case I'm seeing inconsistent results for CPEs and license data. You mention a couple times that the JAR files "aren't real", could you say more? What do you mean by that exactly? While these files functions as gems, I had been thinking that they are simultaneously valid Java archives (in Syft terms). |
For the purposes of this report, I used this container
docker.elastic.co/logstash/logstash:8.13.4
We are seeing java findings show up that are part of jruby packages. These findings are very broken as they're not really jar files, they are part of the jruby package.
For example
That turns up the nokogiri gem, and a nokogiri java-archive which isn't real.
The nokogiri gemspec can be found here
The nokogiri.jar is located at
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/nokogiri-1.16.4-java/lib/nokogiri/nokogiri.jar
Here are the details that are turned up for that jar file
I wouldn't expect such a jar to show up in the results
The text was updated successfully, but these errors were encountered: