SBoM of Docker image contains test dependencies

[nils-christian]

Hi,

We opened this issue in the context of the Spring Boot project, but according to the developers, the issue lies in the executable-jar framework,

Expected Behavior

The SBoM should not contain test dependencies from the Maven pom file in general.

Current Behavior

When creating the Docker image for a Maven project, the resulting SBoM files contain entries for the test dependencies.

Motivations

This is an issue as vulnerability scanners use these meta files to check the image for security violations. In our case this leads to various false positives that have to be checked manually.

Thank you and best regards

Nils

[dmikusa]

The Java buildpacks are not making any decisions about which JAR files from your application to include or not include in the resulting image. When you run a build, you either a.) pass in a pre-compiled JAR file or b.) the buildpack runs maven/gradle/etc... and which builds a JAR file. In either case, the buildpacks operate on that JAR file and whatever is in that JAR file ends up in your image. Thus the first, and most likely place from which unwanted JARs would come is your application's build system (i.e. gradle/maven/etc..). You can test this easily by running a build locally and looking at the contents of the JAR for the offending files.

Some buildpacks will add tools, like the Spring Boot buildpack which can add in the Spring Cloud Bindings JAR file, or an APM buildpack that installs a JAR file Agent to run the APM tools. I cannot think of any that would install testing tools off the top of my head, but if you told me specifically what JARs you're seeing I could confirm.

Also, can you tell me how you are procuring the SBOM file? There are two sets of SBOM files generated by buildpacks. The first is from build-time. It scans the application source code and it will include tools like Maven because they are present at build-time. The second is from run-time. This is a picture of what ends up in the often much smaller run-time container. If you're using the build-time SBOM then I know for a fact you'll see the build tool, but I suppose you might see other build-time only things like testing libraries as well.