Does not detect Oracle JDK 1.8.0_91

[ghost]

What happened:

Does not discover some Oracle Java installations. The path is not even mentioned in the generated syft-json output.

What you expected to happen:

Detect Oracle Java (for licence compliance survey)

Steps to reproduce the issue:

Java is installed on a server as part of an Oracle product (12cR2). I don't know how to reproduce that.

# ./syft --output syft-json --file myserver.sbom.syft.json \
> --exclude ./proc --exclude ./sys --exclude ./dev --exclude ./run \
> dir:/

jq '.artifacts[] | select(.name == "java") | {"name": .name, "cpes": .cpes, "paths": .locations | map(.path)}' myserver.sbom.syft.json

This shows a number of results for Java, but nothing inside /opt/oracle/product/12.2.0/

Grepping the SBoM for /opt/oracle/product/12.2.0/ shows plenty of results, but nothing with bin/java

Anything else we need to know?:

The Java 'release' file looks like the following:

# cat /opt/oracle/product/12.2.0/client_64/jdk/release
JAVA_VERSION="1.8.0_91"
OS_NAME="Linux"
OS_VERSION="2.6"
OS_ARCH="amd64"
SOURCE=" .:574417338118 corba:f8d0cfaa9900 deploy:533e20357a00 hotspot:fa8991ccf6e5 hotspot/make/closed:c0ee4cb5e8ee hotspot/src/closed:886b814d251d hotspot/test/closed:af7b7237cce4 install:d028e4e7f041 jaxp:f6bda5729ff8 jaxws:e71f424e2c96 jdk:f8725698a870 jdk/make/closed:68f13d0ff50a jdk/src/closed:2cb0fde09d2c jdk/test/closed:fa8356bd840f langtools:8921667c26ba nashorn:6296644a2c9c pubs:1cb5455f7c71 sponsors:c6134a642c3e"
BUILD_TYPE="commercial"

There is also a 32-bit version installed that wasn't detected.

# cat /opt/oracle/product/12.2.0/client_32/jdk/release
JAVA_VERSION="1.8.0_91"
OS_NAME="Linux"
OS_VERSION="2.6"
OS_ARCH="i586"
SOURCE=" .:574417338118 corba:f8d0cfaa9900 deploy:533e20357a00 hotspot:fa8991ccf6e5 hotspot/make/closed:c0ee4cb5e8ee hotspot/src/closed:886b814d251d hotspot/test/closed:af7b7237cce4 install:d028e4e7f041 jaxp:f6bda5729ff8 jaxws:e71f424e2c96 jdk:f8725698a870 jdk/make/closed:68f13d0ff50a jdk/src/closed:2cb0fde09d2c jdk/test/closed:fa8356bd840f langtools:8921667c26ba nashorn:6296644a2c9c pubs:1cb5455f7c71 sponsors:c6134a642c3e"
BUILD_TYPE="commercial"

Environment:

• Output of syft version: syft 0.82.0
• OS (e.g: cat /etc/os-release or similar): RHEL7.9

[tgerla]

Hi @pythiankerr, can you attach the resulting SBOM and we can take a look to see what is has detected? The relevant binary detection mechanism is here:

syft/syft/pkg/cataloger/binary/default_classifiers.go

Line 90 in 1bd9de9

Class: "java-binary-oracle",

We are looking for binaries called "java" and a particular version string within that binary, and for some reason it may not be matching the release you have deployed with Oracle. Having a look at the SBOM might help us figure out what, if anything, it is matching. Thanks!

[tgerla]

Hi there, since we haven't heard back we'll go ahead and close this issue, but please feel free to re-open it with additional information if you are still having a problem. Thank you!