We have observed that some third party vendor softwares are using .zap packaging type for Java packages. Syft can’t parse or read package information from .zap type.
Example,
https://github.com/zaproxy/zaproxy/releases/download/v2.17.0/ZAP_2.17.0_Linux.tar.gz
Extract tar.gz and .zap files are available at location “ZAP_2.17.0/plugin/”.
I have extracted zap file and contents are almost similar to jar file. Have you encountered any kind of these packing types other than .jar, .war,
Is there any plan to support these new packaging types?
Hi @santhosh it looks like we just need to add the zap prefix to our Java archive handling, which in part is here: syft/syft/pkg/cataloger/java/archive_filename.go at main · anchore/syft · GitHub
If you wanted to add an issue for this it would be great, I’m not sure we are going to be able to get to it immediately, so PRs are welcome – the main thing that we would need aside from the code change is a test showing that we’re properly handling these files.
If you wanted to rename the .zap files to .jar, you could see what the handling in Syft would likely result in with the aforementioned change.
Would this work for you?
Thanks for your response. Since it is just one liner change, I could do it. But I have compliance policy with current company where I don’t have permission to contribute to open source. Let me see if I can find anyone who has permission.
Regarding extension changing from .zap to .jar. since they are coming from third party jar, I can’t change it where it might cause other issues in the deployment.