Catalog JDKs more completely #3188
Description
What would you like to be added:
A custom cataloger specifically for JDK distributions.
Why is this needed:
Today, Syft catalogs JDKs by identifying java executables with a generic binary cataloger. This works marginally well, but only is able to catalog the java executable itself. There are many other executable files and libraries associated with the JDK that are not included by this cataloging, but it would be great for Syft to be able to correctly identify these files with relationships to an identified JDK version, such as OpenJDK or Oracle JDK, etc..
Additional context:
For example, in the docker official images, there are 25 instances of /opt/java/openjdk/bin/keytool, which a user can identify as being part of the openjdk but Syft does not associate with any package. If we scan the official Docker images, these files are found, with the total number of times found see:
Common OpenJDK files
| Executable | Instances |
|---|---|
| /opt/java/openjdk/bin/keytool | 25 |
| /opt/java/openjdk/bin/rmiregistry | 25 |
| /opt/java/openjdk/lib/jexec | 25 |
| /opt/java/openjdk/bin/jfr | 23 |
| /opt/java/openjdk/bin/jrunscript | 23 |
| /opt/java/openjdk/lib/jspawnhelper | 22 |
| /opt/java/openjdk/lib/libawt.so | 22 |
| /opt/java/openjdk/lib/libawt_headless.so | 22 |
| /opt/java/openjdk/lib/libawt_xawt.so | 22 |
| /opt/java/openjdk/lib/libdt_socket.so | 22 |
| /opt/java/openjdk/lib/libextnet.so | 22 |
| /opt/java/openjdk/lib/libfontmanager.so | 22 |
| /opt/java/openjdk/lib/libinstrument.so | 22 |
| /opt/java/openjdk/lib/libj2gss.so | 22 |
| /opt/java/openjdk/lib/libj2pcsc.so | 22 |
| /opt/java/openjdk/lib/libj2pkcs11.so | 22 |
| /opt/java/openjdk/lib/libjaas.so | 22 |
| /opt/java/openjdk/lib/libjava.so | 22 |
| /opt/java/openjdk/lib/libjavajpeg.so | 22 |
| /opt/java/openjdk/lib/libjawt.so | 22 |
| /opt/java/openjdk/lib/libjdwp.so | 22 |
| /opt/java/openjdk/lib/libjimage.so | 22 |
| /opt/java/openjdk/lib/libjsig.so | 22 |
| /opt/java/openjdk/lib/libjsound.so | 22 |
| /opt/java/openjdk/lib/liblcms.so | 22 |
| /opt/java/openjdk/lib/libmanagement.so | 22 |
| /opt/java/openjdk/lib/libmanagement_agent.so | 22 |
| /opt/java/openjdk/lib/libmanagement_ext.so | 22 |
| /opt/java/openjdk/lib/libmlib_image.so | 22 |
| /opt/java/openjdk/lib/libnet.so | 22 |
| /opt/java/openjdk/lib/libnio.so | 22 |
| /opt/java/openjdk/lib/libprefs.so | 22 |
| /opt/java/openjdk/lib/librmi.so | 22 |
| /opt/java/openjdk/lib/libsctp.so | 22 |
| /opt/java/openjdk/lib/libsplashscreen.so | 22 |
| /opt/java/openjdk/lib/libverify.so | 22 |
| /opt/java/openjdk/lib/libzip.so | 22 |
| /opt/java/openjdk/lib/server/libjsig.so | 22 |
| /opt/java/openjdk/lib/server/libjvm.so | 22 |
| /opt/java/openjdk/lib/libjli.so | 16 |
| /opt/java/openjdk/lib/libjsvml.so | 15 |
| /opt/java/openjdk/lib/libsyslookup.so | 15 |
| /opt/java/openjdk/bin/jar | 13 |
| /opt/java/openjdk/bin/jarsigner | 13 |
| /opt/java/openjdk/bin/javac | 13 |
| /opt/java/openjdk/bin/javadoc | 13 |
| /opt/java/openjdk/bin/javap | 13 |
| /opt/java/openjdk/bin/jcmd | 13 |
| /opt/java/openjdk/bin/jconsole | 13 |
| /opt/java/openjdk/bin/jdeps | 13 |
| /opt/java/openjdk/bin/jinfo | 13 |
| /opt/java/openjdk/bin/jmap | 13 |
| /opt/java/openjdk/bin/jps | 13 |
| /opt/java/openjdk/bin/jstack | 13 |
| /opt/java/openjdk/bin/jstat | 13 |
| /opt/java/openjdk/bin/jstatd | 13 |
| /opt/java/openjdk/bin/serialver | 13 |
| /opt/java/openjdk/bin/jdeprscan | 12 |
| /opt/java/openjdk/bin/jhsdb | 12 |
| /opt/java/openjdk/bin/jimage | 12 |
| /opt/java/openjdk/bin/jlink | 12 |
| /opt/java/openjdk/bin/jmod | 12 |
| /opt/java/openjdk/bin/jshell | 12 |
| /opt/java/openjdk/lib/libattach.so | 12 |
| /opt/java/openjdk/lib/libsaproc.so | 12 |
| /opt/java/openjdk/bin/jpackage | 11 |
| /opt/java/openjdk/bin/rmid | 10 |
| /opt/java/openjdk/bin/jjs | 9 |
| /opt/java/openjdk/bin/pack200 | 9 |
| /opt/java/openjdk/bin/unpack200 | 9 |
| /opt/java/openjdk/bin/jwebserver | 8 |
| /opt/java/openjdk/lib/libfreetype.so | 8 |
| /opt/java/openjdk/lib/lible.so | 8 |
| /opt/java/openjdk/bin/jaotc | 7 |
| /opt/java/openjdk/lib/jli/libjli.so | 6 |
| /opt/java/openjdk/lib/libsunec.so | 6 |
| /opt/java/openjdk/lib/libunpack.so | 6 |
Many of these are prevalent enough in modern software stacks, that Syft should be able to accurately identify these files and associate them with the OpenJDK distribution, where applicable.
A potential solution is to create a Java / JDK cataloger for the distributions and runtimes themselves.
Another possibility is to augment the binary cataloger with some if-found-also-include relative paths or similar.
Metadata
Metadata
Assignees
Type
Projects
Status