Skip to content

Add locations onto packages read from Java native image SBOMs #4186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 11, 2025
Merged

Add locations onto packages read from Java native image SBOMs #4186

merged 1 commit into from
Sep 11, 2025
+7 −2

Conversation

rudsberg
Copy link
Contributor

@rudsberg rudsberg commented Sep 3, 2025

Description

This PR adds support to the graalvm-native-image-cataloger to associate location data with the packages extracted from native images. Packages extracted are now associated with file.Location metadata, which refers to the native image.

This enables users to easily trace packages back to the native image executable, simplifying vulnerability identification.

Example

Consider this scenario: syft scans a Docker container containing a native image named app that has a dependency on org.json. The org.json artifact currently looks like this in the syft-json format:

{
    "id": "pkg:maven/org.json/json@20250517",
    "name": "json",
    "version": "20250517",
    "type": "java-archive",
    "foundBy": "graalvm-native-image-cataloger",
    "locations": [], <-- locations is empty
    ...
}

This PR ensures the locations data is added:

{
    "id": "pkg:maven/org.json/json@20250517",
    "name": "json",
    "version": "20250517",
    "type": "java-archive",
    "foundBy": "graalvm-native-image-cataloger",
    "locations": [
        {
            "path": "/app",
            "layerID": "sha256:f1cf2e7664a1a9e45052d20a7061d9e46eb93091e092b4aa4166197cee5a3604",
            "accessPath": "/app"
        }
    ],
    ...
}

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
    No new unit tests were added since the logic is trivial and there is currently no straightforward way to test it. Issue #3718 would enable end-to-end tests using native images with embedded SBOMs.
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@douglasclarke
Copy link

@kzantow

@wagoodman wagoodman merged commit 7bc15e3 into anchore:main Sep 11, 2025
12 checks passed
@wagoodman wagoodman added the enhancement New feature or request label Sep 11, 2025
@wagoodman wagoodman changed the title Native Image SBOM: Add Support for Locations Data Add locations onto packages read from Java native image SBOMs Sep 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

@spiffcs spiffcs spiffcs approved these changes

+1 more reviewer

@douglasclarke douglasclarke douglasclarke approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rudsberg @douglasclarke @wagoodman @spiffcs