From 1629043d7a0d32ecafbd06560f699b0b7cb2fe2c Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Wed, 18 Sep 2024 13:11:43 -0400 Subject: [PATCH] more permissive glob Signed-off-by: Alex Goodman --- syft/pkg/cataloger/java/parse_jvm_release.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/syft/pkg/cataloger/java/parse_jvm_release.go b/syft/pkg/cataloger/java/parse_jvm_release.go index 80ae046bd..e39be4779 100644 --- a/syft/pkg/cataloger/java/parse_jvm_release.go +++ b/syft/pkg/cataloger/java/parse_jvm_release.go @@ -12,6 +12,7 @@ import ( "github.com/mitchellh/mapstructure" "github.com/anchore/packageurl-go" + stereoFile "github.com/anchore/stereoscope/pkg/file" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/cpe" @@ -21,7 +22,10 @@ import ( ) const ( - jvmReleaseGlob = "**/{java,jvm}/*/release" + // this is a very permissive glob that will match more than just the JVM release file. + // we started with "**/{java,jvm}/*/release", but this prevents scanning JVM archive contents (e.g. jdk8u402.zip). + // this approach lets us check more files for JVM release info, but be rather silent about errors. + jvmReleaseGlob = "**/release" oracleVendor = "oracle" openJdkProduct = "openjdk" jre = "jre" @@ -383,7 +387,7 @@ func parseJvmReleaseInfo(r io.ReadCloser) (*pkg.JavaVMRelease, error) { defer r.Close() data := make(map[string]any) - scanner := bufio.NewScanner(r) + scanner := bufio.NewScanner(io.LimitReader(r, 500*stereoFile.KB)) for scanner.Scan() { line := scanner.Text() @@ -405,6 +409,11 @@ func parseJvmReleaseInfo(r io.ReadCloser) (*pkg.JavaVMRelease, error) { return nil, err } + // if we're missing key fields, then we don't have a JVM release file + if data["JAVA_VERSION"] == nil && data["JAVA_RUNTIME_VERSION"] == nil { + return nil, nil + } + var ri pkg.JavaVMRelease if err := mapstructure.Decode(data, &ri); err != nil { return nil, err