Skip to content

feat: JVM release file parsing #723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
kateeselius wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

feat: JVM release file parsing #723

kateeselius wants to merge 5 commits into from

Conversation

@kateeselius
Copy link

@kateeselius kateeselius commented Nov 5, 2025
edited
Loading

Goal: Expand support for JVM vuln scanning by parsing the release file.

Jira Ticket:
Design Doc:

Discovered it is possible to parse the release file generated when Java is loaded in an image.

An example release file:

IMPLEMENTOR="Eclipse Adoptium"
IMPLEMENTOR_VERSION="Temurin-11.0.28+6"
JAVA_RUNTIME_VERSION="11.0.28+6"
JAVA_VERSION="11.0.28"
JAVA_VERSION_DATE="2025-07-15"
LIBC="gnu"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs ... etc"
..... other fields ......

This PR extracts the Java version from the release file and sends the version to registry to be scanned for vulns.

We have a separate scan result, keyBinariesHashes, that discovers java binaries within the image and will send a hash of the binary to registry. In registry, these hashes are attempted to be resolved to a package (named 'openjdk-jre') and version with a call to hash-lookup. A depGraph is generated from the matched java packages, with the package manager is "upstream". These naming conventions are set in order to match vulns with our db.

In registry, the extracted java version will be added to the keyBinariesHashes flow to be added to the depGraph and scanned for vulnerabilities. Since package names in the depGraph need to be unique, there can only be one 'openjdk-jre' package within the tree. This restraint means that we only add the java version parsed from the release file if there were no successfully matched hash-lookup binaries. In other words, this feature only supports one version of Java to be scanned.

Overview of Changes Within Snyk-docker-plugin:

  1. Add JavaRuntimeMetadata Structure definitions.
  2. Extraction Layer - create new extract action that is looking for the release file when scanning the image.
  3. Analysis Layer - Parse the contents of the release file to extract the Java version.
  4. Response Building - add the javaRuntimeMetadata fact to the first scanResult (handled not as a separate application scan, but part of the OS-level scan alongside keyBinariesHashes)

@kateeselius kateeselius changed the title WIP - feat: POC support from JVM release file parsing feat: JVM release file parsing Nov 16, 2025
bdemeo12
bdemeo12 reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@bdemeo12 bdemeo12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great !

One tiny general nit, there are a lot of comments in this PR. You could move the final design, and reasons as to why you chose to do xyz into a confluence doc, and clean up a lot of these comments!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdemeo12 bdemeo12 bdemeo12 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kateeselius @bdemeo12