Using an app based on Spring Boot 3.3.0-RC1; if you run jarmode tools extract, after your produced an SBOM using cycloneDX plugin, you will loose the SBOM.
How to reproduce
Take this project for example: https://github.com/anthonydahanne/petclinic-efficient-container/tree/buildpacks/
- create a "normal" spring boot jar :
./mvnw package - unzip it:
unzip target/petclinic-jdbc-1.0.0-SNAPSHOT.jar -d unzipped - list the content of the
sbomfolder
ls -al unzipped/META-INF/sbom
total 384
drwxr-xr-x@ 3 anthonyd2 staff 96 May 21 18:03 .
drwxr-xr-x@ 7 anthonyd2 staff 224 May 21 19:07 ..
-rw-r--r--@ 1 anthonyd2 staff 195256 May 21 19:07 application.cdx.json
- run extract from jarmode tool
java -Djarmode=tools -jar target/petclinic-jdbc-1.0.0-SNAPSHOT.jar extract --destination unpacked - list the content: you won't find any sbom
tree unpacked
unpacked
├── lib
│ ├── HdrHistogram-2.1.12.jar
│ ├── HikariCP-5.1.0.jar
│ ├── LatencyUtils-2.0.3.jar
│ ├── attoparser-2.0.7.RELEASE.jar
│ ├── bootstrap-3.3.6.jar
│ ├── byte-buddy-1.14.13.jar
│ ├── caffeine-3.1.8.jar
│ ├── checker-qual-3.37.0.jar
│ ├── classgraph-4.8.168.jar
│ ├── classmate-1.7.0.jar
│ ├── error_prone_annotations-2.21.1.jar
│ ├── hibernate-validator-8.0.1.Final.jar
│ ├── jackson-annotations-2.17.0.jar
│ ├── jackson-core-2.17.0.jar
│ ├── jackson-databind-2.17.0.jar
│ ├── jackson-datatype-jdk8-2.17.0.jar
│ ├── jackson-datatype-jsr310-2.17.0.jar
│ ├── jackson-module-parameter-names-2.17.0.jar
│ ├── jakarta.annotation-api-2.1.1.jar
│ ├── jakarta.validation-api-3.0.2.jar
│ ├── jboss-logging-3.5.3.Final.jar
│ ├── jquery-2.2.4.jar
│ ├── jquery-ui-1.11.4.jar
│ ├── jspecify-0.3.0.jar
│ ├── jsqlparser-4.6.jar
│ ├── jsr305-3.0.2.jar
│ ├── jul-to-slf4j-2.0.13.jar
│ ├── log4j-api-2.23.1.jar
│ ├── log4j-to-slf4j-2.23.1.jar
│ ├── logback-classic-1.5.6.jar
│ ├── logback-core-1.5.6.jar
│ ├── micrometer-commons-1.13.0-RC1.jar
│ ├── micrometer-core-1.13.0-RC1.jar
│ ├── micrometer-jakarta9-1.13.0-RC1.jar
│ ├── micrometer-observation-1.13.0-RC1.jar
│ ├── postgresql-42.7.3.jar
│ ├── slf4j-api-2.0.13.jar
│ ├── snakeyaml-2.2.jar
│ ├── spring-aop-6.2.0-M1.jar
│ ├── spring-beans-6.2.0-M1.jar
│ ├── spring-boot-3.3.0-RC1.jar
│ ├── spring-boot-actuator-3.3.0-RC1.jar
│ ├── spring-boot-actuator-autoconfigure-3.3.0-RC1.jar
│ ├── spring-boot-autoconfigure-3.3.0-RC1.jar
│ ├── spring-boot-jarmode-tools-3.3.0-RC1.jar
│ ├── spring-context-6.2.0-M1.jar
│ ├── spring-context-support-6.2.0-M1.jar
│ ├── spring-core-6.2.0-M1.jar
│ ├── spring-data-commons-3.3.0-RC1.jar
│ ├── spring-data-jdbc-3.3.0-RC1.jar
│ ├── spring-data-relational-3.3.0-RC1.jar
│ ├── spring-expression-6.2.0-M1.jar
│ ├── spring-jcl-6.2.0-M1.jar
│ ├── spring-jdbc-6.2.0-M1.jar
│ ├── spring-tx-6.2.0-M1.jar
│ ├── spring-web-6.2.0-M1.jar
│ ├── spring-webmvc-6.2.0-M1.jar
│ ├── thymeleaf-3.1.2.RELEASE.jar
│ ├── thymeleaf-spring6-3.1.2.RELEASE.jar
│ ├── tomcat-embed-core-10.1.20.jar
│ ├── tomcat-embed-el-10.1.20.jar
│ ├── tomcat-embed-websocket-10.1.20.jar
│ ├── unbescape-1.1.6.RELEASE.jar
│ ├── webjars-locator-core-0.58.jar
│ └── webjars-locator-lite-0.0.3.jar
└── petclinic-jdbc-1.0.0-SNAPSHOT.jar
2 directories, 66 files
- go deeper; unzip the new
unpacked/petclinic-jdbc-1.0.0-SNAPSHOT.jarand explore the content - you won't find the sbom anymore
tree runner-jar
runner-jar
├── META-INF
│ └── MANIFEST.MF
├── application-local.properties
├── application.properties
├── banner.txt
├── data-h2.sql
[...]
Expected behaviour
Content of META-INF/ should not disappear during extract
Comment From: philwebb
This might be a duplicate of #40456. @anthonydahanne Can you try the latest SNAPSHOT?
Comment From: anthonydahanne
yes, with 3.3.0-SNAPSHOT, application.cdx.json, as well as other META-INF files, survived the unpack
cd unpacked
unzip petclinic-jdbc-1.0.0-SNAPSHOT.jar -d runner-jar
[...]
inflating: runner-jar/META-INF/native-image/org.springframework.experimental/petclinic-jdbc/native-image.properties
inflating: runner-jar/META-INF/native-image/org.springframework.experimental/petclinic-jdbc/resource-config.json
inflating: runner-jar/META-INF/native-image/org.springframework.experimental/petclinic-jdbc/reflect-config.json
inflating: runner-jar/META-INF/native-image/org.springframework.experimental/petclinic-jdbc/proxy-config.json
inflating: runner-jar/META-INF/sbom/application.cdx.json
[...]