BOM file for coretto java rpm

[michmazur]

Hi,

Our security team requires defining versions for all 3rd party dependencies used by our Docker images. There is an internal tool used for scanning, and it has problems with Coretto 11 RPM distribution.

I want to have the option to download/generate a BOM file during build in GitHub Actions and attach it to the build Docker file

Question:
Where can I find or generate a full BOM (SPDX format) file for the RPM distribution?

Snippet from Dockerfile:

# Install Java Coretto 11
RUN rpm --import https://yum.corretto.aws/corretto.key
RUN curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo
RUN dnf install -y java-11-amazon-corretto-devel
RUN java --version

The base image is Red Hat 9

[lutkerd]

Corretto does not currently provide an SBOM, we can look into what that would entail for all of the build types and platforms supported.

In the meantime, all of the license and version info should be in the legal directory of the RPM file.

[michmazur]

Unfortunately, the "legal" catalog is not enough. Unknown versions are in the "jmod" directory

Like:

• xmlsec-java usr/lib/jvm/java-11-amazon-corretto/jmods/java.xml.crypto.jmod/classes
• xalan usr/lib/jvm/java-11-amazon-corretto/jmods/java.xml.jmod/classes/com/sun/org/apache
• asm usr/lib/jvm/java-11-amazon-corretto/jmods/java.base.jmod/classes/jdk/internal/org/objectweb/asm

[lutkerd]

Those are all present.

xmlsec-java: https://github.com/corretto/corretto-11/blob/develop/src/java.xml.crypto/share/legal/santuario.md#apache-santuario-v303

xalan:

corretto-11/src/java.xml/share/legal/xalan.md

Line 1 in 360c1bd

## Apache Xalan v2.7.2

ASM: https://github.com/corretto/corretto-11/blob/develop/src/java.base/share/legal/asm.md?plain=1#L1