Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BOM file for coretto java rpm #368

Open
michmazur opened this issue Jul 18, 2024 · 4 comments
Open

BOM file for coretto java rpm #368

michmazur opened this issue Jul 18, 2024 · 4 comments

Comments

@michmazur
Copy link

Hi,

Our security team requires defining versions for all 3rd party dependencies used by our Docker images. There is an internal tool used for scanning, and it has problems with Coretto 11 RPM distribution.

I want to have the option to download/generate a BOM file during build in GitHub Actions and attach it to the build Docker file

Question:
Where can I find or generate a full BOM (SPDX format) file for the RPM distribution?

Snippet from Dockerfile:

# Install Java Coretto 11
RUN rpm --import https://yum.corretto.aws/corretto.key
RUN curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo
RUN dnf install -y java-11-amazon-corretto-devel
RUN java --version

The base image is Red Hat 9
@lutkerd
Copy link
Contributor

lutkerd commented Jul 18, 2024

Corretto does not currently provide an SBOM, we can look into what that would entail for all of the build types and platforms supported.

In the meantime, all of the license and version info should be in the legal directory of the RPM file.

@michmazur
Copy link
Author

Unfortunately, the "legal" catalog is not enough. Unknown versions are in the "jmod" directory

Like:

  • xmlsec-java usr/lib/jvm/java-11-amazon-corretto/jmods/java.xml.crypto.jmod/classes
  • xalan usr/lib/jvm/java-11-amazon-corretto/jmods/java.xml.jmod/classes/com/sun/org/apache
  • asm usr/lib/jvm/java-11-amazon-corretto/jmods/java.base.jmod/classes/jdk/internal/org/objectweb/asm

@lutkerd
Copy link
Contributor

lutkerd commented Aug 8, 2024

Those are all present.

xmlsec-java: https://github.com/corretto/corretto-11/blob/develop/src/java.xml.crypto/share/legal/santuario.md#apache-santuario-v303

xalan:

corretto-11/src/java.xml/share/legal/xalan.md

Line 1 in 360c1bd

## Apache Xalan v2.7.2

ASM: https://github.com/corretto/corretto-11/blob/develop/src/java.base/share/legal/asm.md?plain=1#L1

@dvorarogawski
Copy link

Hi Dan,

Thank you for your guidance on finding the legal .md files that document the versions. I was able to search in the repository for a bunch of the libraries we needed versions for by searching "/legal/bcel.md" for example (for bcel lib). However I am unable to find a document under the legal section for the below libraries.

mx4j, sjsxp, xmlsec-java

Can you assist?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lutkerd @dvorarogawski @michmazur