more permissive glob

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Alex Goodman 2024-09-18 13:11:43 -04:00
parent 7c617fd14e
commit 1629043d7a

View file

@ -12,6 +12,7 @@ import (
"github.com/mitchellh/mapstructure" "github.com/mitchellh/mapstructure"
"github.com/anchore/packageurl-go" "github.com/anchore/packageurl-go"
stereoFile "github.com/anchore/stereoscope/pkg/file"
"github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/log"
"github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/artifact"
"github.com/anchore/syft/syft/cpe" "github.com/anchore/syft/syft/cpe"
@ -21,7 +22,10 @@ import (
) )
const ( const (
jvmReleaseGlob = "**/{java,jvm}/*/release" // this is a very permissive glob that will match more than just the JVM release file.
// we started with "**/{java,jvm}/*/release", but this prevents scanning JVM archive contents (e.g. jdk8u402.zip).
// this approach lets us check more files for JVM release info, but be rather silent about errors.
jvmReleaseGlob = "**/release"
oracleVendor = "oracle" oracleVendor = "oracle"
openJdkProduct = "openjdk" openJdkProduct = "openjdk"
jre = "jre" jre = "jre"
@ -383,7 +387,7 @@ func parseJvmReleaseInfo(r io.ReadCloser) (*pkg.JavaVMRelease, error) {
defer r.Close() defer r.Close()
data := make(map[string]any) data := make(map[string]any)
scanner := bufio.NewScanner(r) scanner := bufio.NewScanner(io.LimitReader(r, 500*stereoFile.KB))
for scanner.Scan() { for scanner.Scan() {
line := scanner.Text() line := scanner.Text()
@ -405,6 +409,11 @@ func parseJvmReleaseInfo(r io.ReadCloser) (*pkg.JavaVMRelease, error) {
return nil, err return nil, err
} }
// if we're missing key fields, then we don't have a JVM release file
if data["JAVA_VERSION"] == nil && data["JAVA_RUNTIME_VERSION"] == nil {
return nil, nil
}
var ri pkg.JavaVMRelease var ri pkg.JavaVMRelease
if err := mapstructure.Decode(data, &ri); err != nil { if err := mapstructure.Decode(data, &ri); err != nil {
return nil, err return nil, err