8000 Add support for GraalVM and OracleJDK in parse_jvm_release · Issue #3762 · anchore/syft · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add support for GraalVM and OracleJDK in parse_jvm_release #3762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
douglasclarke opened this issue Mar 26, 2025 · 2 comments · May be fixed by douglasclarke/syft#7
Open

Add support for GraalVM and OracleJDK in parse_jvm_release #3762

douglasclarke opened this issue Mar 26, 2025 · 2 comments · May be fixed by douglasclarke/syft#7
Labels
enhancement New feature or request

Comments

@douglasclarke
Copy link

What would you like to be added: Enhance the existing parse_jvm_release cataloger to address

Why is this needed: These JDK distro's have different versioning schemes and CPE identifiers that prevents them from being correctly identified and matched to known CVEs. The OracleJDK is based on OpenJDK but has its own versioning. The GraalVM releases have community and enterprise editions and also have a change in naming as of the 23 release. The GraalVM releases require the use of GRAALVM_VERSION attribute of the reelase info file.

Additional context:
I have a PR I am preparing in a fork. The chnage is more involved including a schema update and was hoping todiscuss the change and approach with @wagoodman based on the initial implementation.
@douglasclarke douglasclarke added the enhancement New feature or request label Mar 26, 2025
@douglasclarke douglasclarke mentioned this issue Mar 26, 2025
Closed
4 tasks
@spiffcs
Copy link
Contributor
spiffcs commented Mar 27, 2025
edited
Loading

Hey @douglasclarke! I know it's short notice here, but we have a community meeting/office hours this week at 12:00 EST if you'd like to join and discuss moving this forward or ways to get the contribution in.

https://github.com/anchore/syft?tab=readme-ov-file#syft-team-meetings

Otherwise @kzantow is probably one of the best contacts on our team for Java related thing as he has the most experience with some of the more nuanced sides of those catalogers.

This was referenced Apr 11, 2025
Closed
Open
@popey
Copy link
Contributor
popey commented May 9, 2025

Summary of discussion on last night's live stream where it was discussed (with more people):

  • Discussion: Alan Pope presented this Syft issue. The issue report includes a link to a PR in the user's own fork, not against the main Anchore Syft repository.
  • Problem: It appears to be a version parsing problem in Syft related to GraalVM. The user's PR seems to implement changes to correctly detect the GraalVM version.
  • Outcome: Alex Goodman will comment on the user's PR in their fork, suggesting they open it against the upstream anchore/syft repository if they are ready for it to be reviewed and potentially merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: No status
Milestone
No milestone
3 participants
@popey @spiffcs @douglasclarke
0