Java archives not from Maven

[joshbressers]

This issue is meant to be a discussion on how to handle Java archives that aren't from Maven, and Syft handles in a strange manner.

Let's use this image as our example
https://hub.docker.com/r/atlassian/confluence-server/

If I scan this with Syft

syft docker:atlassian/confluence-server:latest

I end up with output that looks like this (it's a huge image, this is just a few lines)

com.atlassian.activeobjects_activeobjects-dbex                                     5.2.1                                      java-archive
com.atlassian.activeobjects_activeobjects-spi                                      5.2.1                                      java-archive
com.atlassian.analytics.analytics-client                                           8.3.0                                      java-archive
com.atlassian.analytics.analytics-whitelist                                        3.102                                      java-archive
com.atlassian.analytics_analytics-api                                              8.3.0                                      java-archive
com.atlassian.annotations_atlassian-annotations                                    4.0.0                                      java-archive
com.atlassian.applinks.applinks-basicauth-plugin                                   9.1.3                                      java-archive
com.atlassian.applinks.applinks-cors-plugin                                        9.1.3                                      java-archive
com.atlassian.applinks.applinks-oauth-plugin                                       9.1.3                                      java-archive

Looking at the dbex finding there, here is the JSON that is generated

  {
   "id": "241e9eb015975d0d",
   "name": "activeobjects-dbex",
   "version": "5.2.1",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/opt/atlassian/confluence/confluence/WEB-INF/lib/com.atlassian.activeobjects_activeobjects-dbex-5.2.1.jar",
     "layerID": "sha256:af99e879cc4838a22d008c5ab1892b50ccc8942b8333f1e95ac61fbff7bf8e9d",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:activeobjects-dbex:activeobjects-dbex:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:activeobjects-dbex:activeobjects_dbex:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:activeobjects_dbex:activeobjects-dbex:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:activeobjects_dbex:activeobjects_dbex:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:activeobjects-dbex:activeobjects:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:activeobjects:activeobjects-dbex:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:activeobjects:activeobjects_dbex:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:activeobjects_dbex:activeobjects:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:atlassian:activeobjects-dbex:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:atlassian:activeobjects_dbex:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:activeobjects:activeobjects:5.2.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:atlassian:activeobjects:5.2.1:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/com.atlassian.activeobjects/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/opt/atlassian/confluence/confluence/WEB-INF/lib/com.atlassian.activeobjects_activeobjects-dbex-5.2.1.jar:com.atlassian.activeobjects:activeobjects-dbex",
    "pomProperties": {
     "path": "META-INF/maven/com.atlassian.activeobjects/activeobjects-dbex/pom.properties",
     "name": "",
     "groupId": "com.atlassian.activeobjects",
     "artifactId": "activeobjects-dbex",
     "version": "5.2.1"
    }
   }
  },

I want to start this discussion as these particular packages aren't part of Maven, so we can't extract the name and groupId from a remote API based on a file hash for example.

[wagoodman]

It looks like there are some opportunities to attempt to guess if the name is a combined group-id/artifact-id and parse out these fields. For instance the package com.atlassian.gadgets.atlassian-gadgets-api is missing a pom.xml, however, the resolved name is the combined group-id and artifact id (see https://mvnrepository.com/artifact/com.atlassian.gadgets/atlassian-gadgets-api). In an offline capacity we could at least attempt to detect this, split it, and fix the names to be more accurate.

Additionally, based on the manifest:

  "metadata": {
    "virtualPath": "/opt/atlassian/confluence/confluence/WEB-INF/atlassian-bundled-plugins/com.atlassian.gadgets.atlassian-gadgets-api-8.1.1.jar",
    "manifest": {
      "main": {
        "Atlassian-Build-Date": "2023-06-14T08:11:33+0000",
        "Bnd-LastModified": "1686730294094",
        "Build-Jdk": "1.8.0_282",
        "Built-By": "root",
        "Bundle-Description": "Public Atlassian Gadgets API",
        "Bundle-DocURL": "https://www.atlassian.com/",
        "Bundle-License": "https://www.atlassian.com/customer-agreement/",
        "Bundle-ManifestVersion": "2",
        "Bundle-Name": "Atlassian Gadgets API",
        "Bundle-SymbolicName": "com.atlassian.gadgets.atlassian-gadgets-api",
        "Bundle-Vendor": "Atlassian",
        "Bundle-Version": "8.1.1",
        "Created-By": "Apache Maven Bundle Plugin",
        "Export-Package": "com.atlassian.gadgets;version=\"8.1.1\";uses:=\"com.atlassian.gadgets.dashboard,com.atlassian.gadgets.view,com.atlassian.plugin,io.atlassian.fugue,javax.annotation,javax.servlet.http,net.jcip.annotations\",com.atlassian.gadgets.dashboard;version=\"8.1.1\";uses:=\"com.atlassian.gadgets,com.atlassian.gadgets.plugins,com.atlassian.plugin,io.atlassian.fugue,javax.annotation,net.jcip.annotations\",com.atlassian.gadgets.dashboard.view;version=\"8.1.1\";uses:=\"com.atlassian.gadgets,com.atlassian.gadgets.dashboard,com.atlassian.gadgets.view,javax.annotation\",com.atlassian.gadgets.directory;version=\"8.1.1\";uses:=\"com.atlassian.gadgets,com.atlassian.plugin,javax.annotation\",com.atlassian.gadgets.plugins;version=\"8.1.1\";uses:=\"com.atlassian.gadgets.directory,com.atlassian.plugin,com.atlassian.plugin.web,io.atlassian.fugue,javax.annotation\",com.atlassian.gadgets.spec;version=\"8.1.1\";uses:=\"com.atlassian.gadgets,com.atlassian.gadgets.view,net.jcip.annotations\",com.atlassian.gadgets.view;version=\"8.1.1\";uses:=\"com.atlassian.gadgets,net.jcip.annotations\",com.atlassian.gadgets.opensocial;version=\"8.1.1\",com.atlassian.gadgets.opensocial.model;version=\"8.1.1\";uses:=\"net.jcip.annotations\",com.atlassian.gadgets.event;version=\"8.1.1\",com.atlassian.gadgets.feed;version=\"8.1.1\"",
        "Import-Package": "com.atlassian.gadgets;version=\"[8.1,9)\",com.atlassian.gadgets.directory;version=\"[8.1,9)\",com.atlassian.gadgets.plugins;version=\"[8.1,9)\",com.atlassian.gadgets.view;version=\"[8.1,9)\",com.atlassian.plugin,com.atlassian.plugin.util,com.atlassian.plugin.web,com.atlassian.plugin.web.conditions,com.google.common.base,com.google.common.collect,io.atlassian.fugue,javax.annotation,javax.servlet.http,net.jcip.annotations,org.apache.commons.lang3,org.apache.commons.lang3.builder",
        "Manifest-Version": "1.0",
        "Tool": "Bnd-3.5.0.201709291849"
      }
    },

We should take a closer look at the Apache Maven Bundle Plugin tool to see if we can depend on this behavior and extract this combined field from the Bundle-SymbolicName field.

[westonsteimel]

Ah, so a good catch that these are actually packaged as maven artifacts, just not from maven central but rather from Atlassian's own maven repositories, so at least trying using groupid and artifactid is still the correct way to attempt to identify them

[joshbressers]

I also found this image that still reports a lot of the namespace package names (I tried it with this PR)

docker.io/bitnami/spark:latest