[jar] gracefully handle jars bundled with jdk

[prabhu]

Currently these results in some warnings.

https://github.com/CycloneDX/cdxgen/actions/runs/11243996010/job/31261144612#step:9:112

Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/share/java/java-atk-wrapper.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/share/ca-certificates-java/ca-certificates-java.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/management-agent.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/local_policy.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/US_export_policy.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/localedata.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/jaccess.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/icedtea-sound.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/dnsns.jar
Unable to extract the component information from /tmp/docker-images-yL2Yuh/all-layers/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/cldrdata.jar
total 320

[prabhu]

With ghcr.io/appthreat/bci-java:main

node /Volumes/Work/CycloneDX/cdxgen/bin/cdxgen.js -t docker ghcr.io/appthreat/bci-java:main -o bom-opensuse.json
About to export image ghcr.io/appthreat/bci-java:main to /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/image.tar using nerdctl cli
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/uiautomator.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/core-for-system-modules.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/android.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/android-stubs-src.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/optional/org.apache.http.legacy.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/optional/android.test.runner.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/optional/android.test.mock.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/optional/android.test.base.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/platforms/android-33/optional/android.car.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/sdkmanager-classpath.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/screenshot2-classpath.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/retrace-classpath.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/r8.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/profgen-classpath.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/lint-classpath.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/avdmanager-classpath.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/apkanalyzer-classpath.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/sdklib/tools.sdklib.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/sdklib/sdklib.core.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/sdklib/libsdkmanager_lib.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/sdklib/libavdmanager_lib.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/sdk-common/tools.sdk-common.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/repository/tools.repository.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/profgen/profgen-cli/libprofgen-cli-lib.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/profgen/profgen/libprofgen.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/misc/screenshot2/libscreenshot2lib.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/lint/tools.lint-model.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/lint/tools.lint-checks.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/lint/tools.lint-api.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/lint/cli/cli.jar
Unable to extract the component information from /var/folders/tj/qpj19ty13n193twz68w6phj80000gn/T/docker-images-vLss3a/all-layers/opt/android-sdk-linux/cmdline-tools/latest/lib/layoutlib-api/tools.layoutlib-api.jar

[youhaveme9]

Hey @prabhu
I would like to take up this issue
Can you please explain a bit more?
Thanks

[prabhu]

@youhaveme9 These warnings are created when we try to catalog jars bundled with jdk, android sdk etc. The wording Unable to extract the component information is not helpful. I think we need to create one component for the correct version of jdk or android sdk and add all these jars as child components of type file with some hashes.

You can run cdxgen with -t docker ghcr.io/appthreat/bci-java:main and the environment variable CDXGEN_DEBUG_MODE=debug to reproduce this.

Thank you so much for your help! Please drop me an email to prabhu at appthreat dot dev, so that we can meet online and discuss virtually as well.

[youhaveme9]

Hey @prabhu
Dropped you an email
Please check at your convenience