[RHACS] Issue while scanning nested jars

Solution Verified - Updated -

Issue

  • Scanning uber (fat) jars that contain nested dependencies does not show component.
  • No vulnerabilities are being detected upon scanning thefat/nested jars, for example, that contain Log4J libraries within fat/nested jars.
  • An example is theNew Relic Java agent which nests Log4J dependencies within fat jars. Scanner is not detecting the log4j vulnerability for the New Relic Java agent nor it's component.
  • log4j component is not found by the scanner. Other vulnerabilities are being detected
  • log4j component is in newrelic.jar which is not detected. Scanner is skipping that JAR file.

Environment

  • Red Hat Advanced Cluster Security:
    3.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content