-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(java): use full path for nested jars #3992
feat(java): use full path for nested jars #3992
Conversation
@@ -105,11 +106,15 @@ func toApplication(fileType, filePath, libFilePath string, r dio.ReadSeekerAt, l | |||
} | |||
locs = append(locs, l) | |||
} | |||
libPath := libFilePath | |||
if lib.FilePath != "" { | |||
libPath = filepath.ToSlash(lib.FilePath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use /
in PkgPath
when scanning in Windows.
That's why I added ToSlash
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, we should have used slashes here. path.Join
must be used rather than filepath.Join
. The inner separator in ZIP files is always slashed even though it is created on Windows.
4.4.17 file name: (Variable)
4.4.17.1 The name of the file, with optional relative path. The path stored MUST NOT contain a drive or device letter, or a leading slash. All slashes MUST be forward slashes '/' as opposed to backwards slashes '\' for compatibility with Amiga and UNIX file systems etc. If input came from standard input, there is no file name field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in 564b68b
@@ -105,11 +105,15 @@ func toApplication(fileType, filePath, libFilePath string, r dio.ReadSeekerAt, l | |||
} | |||
locs = append(locs, l) | |||
} | |||
libPath := libFilePath | |||
if lib.FilePath != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a comment?
if lib.FilePath != "" { | |
// This file path is populated for virtual file paths within archives, such as nested JAR files. | |
if lib.FilePath != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added in 98da085
pkg/report/table/vulnerability.go
Outdated
firstExtIndex := len(path) | ||
for _, ext := range jarExtensions { | ||
i := strings.Index(path, ext) | ||
if i != -1 && i < firstExtIndex { | ||
firstExtIndex = i + len(ext) | ||
} | ||
} | ||
return path[:firstExtIndex] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm afraid of the case where the path /path/to/test.warning/app.jar
. It is rare, though.
firstExtIndex := len(path) | |
for _, ext := range jarExtensions { | |
i := strings.Index(path, ext) | |
if i != -1 && i < firstExtIndex { | |
firstExtIndex = i + len(ext) | |
} | |
} | |
return path[:firstExtIndex] | |
// File paths are always forward-slashed in Trivy | |
paths := strings.Split(path, "/") | |
for i, p := range paths { | |
if slices.Contains(jarExtensions, filepath.Ext(p)) { | |
return strings.Join(paths[:i+1], "/") | |
} | |
} | |
return path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in 98da085
Description
Use full path for nested jars.
The
table
format still only uses name of root jar.The
json
format uses full path.Before:
After:
Related issues
Related PRs
Checklist