stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/unchecked/scanner/java-osgi-bundle-manifest-parsing.md

1.8 KiB
Raw Blame History

Java OSGi Bundle Manifest Parsing

Module

Scanner

Status

IMPLEMENTED

Description

Parses OSGi bundle MANIFEST.MF headers (Bundle-SymbolicName, Import-Package, Export-Package, Require-Bundle) to discover embedded dependencies and version ranges in Eclipse/Karaf/Felix deployments.

Implementation Details

  • OSGi Bundle Parsing:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Osgi/OsgiBundleParser.cs - OsgiBundleParser parses MANIFEST.MF headers including Bundle-SymbolicName, Import-Package, Export-Package, and Require-Bundle to discover embedded dependencies and version ranges
  • Signature Manifest Analysis:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Signature/JavaSignatureManifestAnalyzer.cs - Analyzes JAR signature manifests alongside bundle manifests
  • Entrypoint Resolution:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Resolver/JavaEntrypointResolution.cs - Resolves entrypoints from bundle exports
  • Language Analyzer: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs

E2E Test Plan

  • Scan a container image with an OSGi-based deployment (Eclipse/Karaf/Felix) and verify bundles are discovered from MANIFEST.MF files
  • Verify Bundle-SymbolicName is extracted and mapped to component identifiers in the SBOM
  • Verify Import-Package and Export-Package headers are parsed to identify inter-bundle dependencies with version ranges
  • Verify Require-Bundle declarations are resolved to concrete bundle dependencies
  • Verify version ranges in OSGi format (e.g., [1.0,2.0)) are correctly parsed and represented
  • Verify embedded JAR bundles within OSGi containers are detected and attributed