Skip to content

fix: scan on windows not identifying jar file #5066

New issue
New issue
Open
Open
fix: scan on windows not identifying jar file#5066
Labels
bugSomething isn't workinghigher priorityIssues we'd like fixed sooner rather than later, often ones that come directly from users.
Milestone
3.4.2
@smirgel

Description

@smirgel
smirgel
opened on May 5, 2025

Description

When running cve-bin-tool on windows and producing an sbom, jar files seem not to be identified at all.

To reproduce

Steps to reproduce the behaviour:

  1. Create new directory
  2. Download a jar file, for examples this one: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.24.3/log4j-core-2.24.3.jar
  3. Run a scan and produce an sbom, for example: cve-bin-tool . --sbom-format json --sbom-type cyclonedx --sbom-output sbom-output.json

Expected behaviour:
Running the same scan on linux, the jar file is identified as:

    {
      "type": "library",
      "bom-ref": "2-log4j",
      "name": "log4j",
      "version": "2.24.3",
      "supplier": {
        "name": "apache"
      },
      "cpe": "cpe:/a:apache:log4j:2.24.3",
      "evidence": {
        "occurrences": [
          {
            "location": "/tmp/cve-bin-tool-lc9c7g5g/log4j-core-2.24.3.jar.extracted/META-INF/maven/org.apache.logging.log4j/log4j-core/pom.xml"
          }
        ]
      }
    }

Version/platform info

Version of CVE-bin-tool: 3.4
Installed from pypi or github? pypi
Operating system:

OS Name:                   Microsoft Windows Server 2022 Datacenter
OS Version:                10.0.20348 N/A Build 20348

Python version: 3.12.10

Anything else?

scan.log

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinghigher priorityIssues we'd like fixed sooner rather than later, often ones that come directly from users.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions