[Bug]: Java package not recognized by SBOM creators

[sithmein]

Please add the exact image (with tag) that you are using

eclipse-temurin:17-jre-alpine

Please add the version of Docker you are running

24.0.5

What happened?

We are using eclipse-temurin:17-jre-alpine as base for many images. We are creating SBOMs (CycloneDX) for all our images using trivy. We discovered that these SBOMs do not include the JRE (but all other APKs from the base image). The reason is likely that the JRE is not installed as an APK but extracted from a Tar archive.
The question I have is whether you are aware of any SBOM creators that can still detect the JRE. Or are there any plans for providing a complete SBOM for the Docker image which we can then merge with our additions?

Relevant log output

No response

[karianna]

@gdams - I think you and tianon were looking at this space recently

[gdams]

I have a feeling that anchore/syft#3217 might help here, It appears to add detection support for Temurin to Syft which can be used to generate an SBOM

[sithmein]

Jep, syft is indeed able to detect the JRE (even if it is added as Oracle). However, we have to use trivy because it adds metadata that is required for subsequent vulnerability scanning with trivy. I'll try to make the trivy developers aware of this problem.
aquasecurity/trivy#7499