fix: Distinguish openjdk vs jdk when using file source #3895

adammcclenaghan · 2025-05-15T09:46:03Z

Description

If the JVM vendor is not parsed from the release file, Syft currently tries to use the file path to distinguish between different JDK versions.

Example of this working:

$ pwd
/Users/adammcclenaghan/code/syft/syft/pkg/cataloger/java/test-fixtures/jvm-installs

$ cat ./oracle-jdk-se-8/usr/lib/jvm/jdk-1.8-oracle-x64/release
```sh
JAVA_VERSION="1.8.0_411"
JAVA_RUNTIME_VERSION="1.8.0_411-b25"
OS_NAME="Linux"
OS_VERSION="2.6"
OS_ARCH="amd64"
SOURCE=".:git:71ec2089cf8c+"
BUILD_TYPE="commercial"

$ syft scan dir:./oracle-jdk-se-8
 ✔ Indexed file system                                                                                                                                                                                                      oracle-jdk-se-8
 ✔ Cataloged contents                                                                                                                                                      6f75bddd2550dd54c7721716e960e439798189ad6ba7ce053bcb135eb3cf0bd4
   ├── ✔ Packages                        [1 packages]
   ├── ✔ Executables                     [0 executables]
   ├── ✔ File digests                    [2 files]
   └── ✔ File metadata                   [2 locations]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME  VERSION        TYPE
jdk   1.8.0_411-b25  binary

However when scanning with file source this is detected as OpenJDK:

$ syft scan file:./oracle-jdk-se-8/usr/lib/jvm/jdk-1.8-oracle-x64/release
 ✔ Indexed file system                                                                                                                                                             ./oracle-jdk-se-8/usr/lib/jvm/jdk-1.8-oracle-x64/release
 ✔ Cataloged contents                                                                                                                                                      15894941e17671423d4abde1775a2af69aef90433673366d26cfc8b89e5344ff
   ├── ✔ Packages                        [1 packages]
   ├── ✔ Executables                     [0 executables]
   ├── ✔ File digests                    [1 files]
   └── ✔ File metadata                   [1 locations]
NAME     VERSION        TYPE
openjdk  1.8.0_411-b25  binary

Currently the jvm parser uses reader.Path() to get the path to the release file.

This comes from the Location struct which will have this path relative to the scan root, for file source this is just the file itself, so parent directory names are lost.

You can actually observe the same behaviour with directory source if you point the directory source too "deep" into the path:

$ syft scan dir:./oracle-jdk-se-8/usr/lib/jvm/jdk-1.8-oracle-x64
 ✔ Indexed file system                                                                                                                                                                       oracle-jdk-se-8/usr/lib/jvm/jdk-1.8-oracle-x64
 ✔ Cataloged contents                                                                                                                                                      1f9bc8cbd38e7cc6f830fd9d8c3b8612a6518222fd7e9e46a62c1ad1a7f13e90
   ├── ✔ Packages                        [1 packages]
   ├── ✔ Executables                     [0 executables]
   ├── ✔ File digests                    [2 files]
   └── ✔ File metadata                   [2 locations]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME     VERSION        TYPE
openjdk  1.8.0_411-b25  binary

Where as just going one directory "higher" ensures the correct vendor is detected:

$ syft scan dir:./oracle-jdk-se-8/usr/lib/jvm/
 ✔ Indexed file system                                                                                                                                                                                          oracle-jdk-se-8/usr/lib/jvm
 ✔ Cataloged contents                                                                                                                                                      5e2177784cfcdd23632e571bf6d38fdabd75ab540fab813265bbafdb48a86387
   ├── ✔ Packages                        [1 packages]
   ├── ✔ Executables                     [0 executables]
   ├── ✔ File digests                    [2 files]
   └── ✔ File metadata                   [2 locations]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME  VERSION        TYPE
jdk   1.8.0_411-b25  binary

Instead, this change uses reader.Reference().RealPath so that the entire path to the file is taken into account, so that the vendor can be distinguished correctly.

Type of change

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
Documentation (updates the documentation)
Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist:

I have added unit tests that cover changed behavior
I have tested my code in common scenarios and confirmed there are no regressions
I have added comments to my code, particularly in hard-to-understand sections

Signed-off-by: adammcclenaghan <adam@mcclenaghan.co.uk>

wagoodman · 2025-05-16T13:17:47Z

syft/pkg/cataloger/java/parse_jvm_release.go

@@ -88,7 +88,7 @@ func parseJVMRelease(_ context.Context, resolver file.Resolver, _ *generic.Envir
 	installDir := path.Dir(reader.Path())
 	files, hasJdk := findJvmFiles(resolver, installDir)

-	vendor, product := jvmPrimaryVendorProduct(ri.Implementor, reader.Path(), ri.ImageType, hasJdk)
+	vendor, product := jvmPrimaryVendorProduct(ri.Implementor, string(reader.Reference().RealPath), ri.ImageType, hasJdk)


Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

fix: Distinguish openjdk vs jdk when using file source

9d5f104

Signed-off-by: adammcclenaghan <adam@mcclenaghan.co.uk>

adammcclenaghan force-pushed the file-source-parse-jvm-release branch from f52cc8b to 9d5f104 Compare May 15, 2025 13:04

fix: Fix goimport order

b69c814

Signed-off-by: adammcclenaghan <adam@mcclenaghan.co.uk>

wagoodman reviewed May 16, 2025

View reviewed changes

add comment

d99ee23

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

wagoodman approved these changes May 16, 2025

View reviewed changes

wagoodman enabled auto-merge (squash) May 16, 2025 13:19

wagoodman added the bug Something isn't working label May 16, 2025

wagoodman disabled auto-merge May 16, 2025 13:20

wagoodman enabled auto-merge (squash) May 16, 2025 13:20

wagoodman merged commit 8f02bd8 into anchore:main May 16, 2025
13 checks passed

BrewTestBot mentioned this pull request May 16, 2025

syft 1.25.0 Homebrew/homebrew-core#223707

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: Distinguish openjdk vs jdk when using file source #3895

fix: Distinguish openjdk vs jdk when using file source #3895

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fix: Distinguish openjdk vs jdk when using file source #3895

fix: Distinguish openjdk vs jdk when using file source #3895

Uh oh!

Conversation

Description

Type of change

Checklist:

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!