Skip to content

fix: align binary java detection with jvm cataloger + support IBM #4046

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 22, 2025
Merged

fix: align binary java detection with jvm cataloger + support IBM #4046

merged 5 commits into from
Jul 22, 2025

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Jul 2, 2025
edited
Loading

Description

This PR makes some changes to binary detection of Java packages:

  • a sequential/branching evidence matcher is introduced, where the first result stops further packages from being surfaced for the same file
  • the package names, PURLs, and CPEs have been updated to match what the JVM cataloger returns

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

kzantow added 3 commits July 2, 2025 11:35
@kzantow
fix: align binary java detection with jvm cataloger + support IBM
2b24467 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: remove unnecessary export
77b9940 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: add missed oracle jdk snippets
49d5bf6 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
kzantow
kzantow commented Jul 2, 2025
View reviewed changes
syft/pkg/cataloger/binary/classifiers.go
@@ -113,73 +113,10 @@ func DefaultClassifiers() []binutils.Classifier {
cpe.Must("cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
},
},
{
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the java classifiers have been moved to a separate file 👇

@kzantow
chore: add test for branching matcher, remove invalid java snippet
050c883 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow marked this pull request as ready for review July 2, 2025 18:29
wagoodman
wagoodman reviewed Jul 22, 2025
View reviewed changes
@kzantow
chore: address PR feedback
1213823 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow merged commit 48bf81c into main Jul 22, 2025
12 checks passed
@kzantow kzantow deleted the fix/oracle-jdk-misidentification branch July 22, 2025 16:06
@kzantow kzantow linked an issue Jul 24, 2025 that may be closed by this pull request
Improve JVM Scan Accuracy for JDK and JRE Detection #4071
Closed
@kzantow kzantow mentioned this pull request Jul 24, 2025
Closed
@BrewTestBot BrewTestBot mentioned this pull request Jul 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve JVM Scan Accuracy for JDK and JRE Detection Azul JDK classified as Oracle JRE
2 participants
@kzantow @wagoodman