Some Java libraries are not being detected, or being mis-identified

[dbrugman]

What happened:
When scanning Docker images coming with many Java libraries (*.jar files), I noticed that some were either missing in the resulting SBOM, or were present but with the wrong name.

What you expected to happen:
I would expect all Java libraries to get detected and included in the SBOM with the correct names.

Steps to reproduce the issue:
Create a Docker image using this Dockerfile:

FROM ubuntu:latest

# These will NOT be detected by Syft 1.14.0:
ADD https://repo1.maven.org/maven2/net/datafaker/datafaker/1.9.0/datafaker-1.9.0.jar /java/
ADD https://repo1.maven.org/maven2/javax/inject/javax.inject/1/javax.inject-1.jar /java/

# This one will be detected but with the WRONG NAME:
ADD https://repo1.maven.org/maven2/com/datastax/oss/java-driver-core-shaded/4.17.0/java-driver-core-shaded-4.17.0.jar /java/

# This one WILL be detected correctly by Syft 1.14.0:
ADD https://repo1.maven.org/maven2/com/google/guava/guava/33.3.1-jre/guava-33.3.1-jre.jar /java/

Create an image:

docker build -t testjava .

Create an SBOM and search for the presence of Java libraries:

syft scan testjava | grep java-archive

Only 2 out of the 4 libraries are detected:

core                 4.17.0                       java-archive
guava                33.3.1-jre                   java-archive

And note that the name of the java-driver-core-shaded library is incorrectly shown as just core.

Anything else we need to know?:

Environment:

• Output of syft version:
  Application: syft
  Version: 1.14.0
  BuildDate: 2024-10-07T20:40:39Z
  GitCommit: ccbee94
  GitDescription: v1.14.0
  Platform: linux/amd64
  GoVersion: go1.22.7
  Compiler: gc

• OS (e.g: cat /etc/os-release or similar):
  NAME="Ubuntu"
  VERSION="20.04.6 LTS (Focal Fossa)"
  ID=ubuntu
  ID_LIKE=debian
  PRETTY_NAME="Ubuntu 20.04.6 LTS"
  VERSION_ID="20.04"
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  VERSION_CODENAME=focal
  UBUNTU_CODENAME=focal

[wagoodman]

An initial look shows that:

• javax.inject: this is missing all identifying information, so will probably never be correctly. There is a chance that an online lookup may yield results here, however, it isn't clear what data source to use (it is probably not maven central). At a surface level this appears to be part of the JDK (this should be confirmed though).
• java-drive-core: we think that this is being skipped since it's missing a pom.properties file (this should also be confirmed, but gives a staring place for development)
• datafaker: I can't tell why this is being skipped!

Thanks for reporting!