Skip to content

fix: normalize java runtime qualifiers in maven version comparisons#3034

Merged
wagoodman merged 2 commits intoanchore:mainfrom
jamestexas:fix/jre-version-matching
Nov 14, 2025
Merged

fix: normalize java runtime qualifiers in maven version comparisons#3034
wagoodman merged 2 commits intoanchore:mainfrom
jamestexas:fix/jre-version-matching

Conversation

@jamestexas
Copy link
Copy Markdown
Contributor

@jamestexas jamestexas commented Nov 6, 2025

Fix: Normalize Java runtime qualifiers in Maven version comparisons

Problem

Maven/Java packages may include JRE/JDK runtime qualifiers in filenames (.jreNN, .jdkNN), but these qualifiers may not appear in the JAR's internal version metadata (from MANIFEST.MF).

When Grype compares versions:

  • Scanned package version: 12.10.2 (extracted from JAR metadata)
  • Advisory fixed version: 12.10.2.jre11 (from advisory database)
  • Result: Comparison fails as 12.10.212.10.2.jre11False positive CVE reported

The runtime qualifiers don't affect semantic versioning and should be normalized before comparison.

Solution

Strip .jre<digits> and .jdk<digits> suffixes before Maven version parsing, following the existing pattern used for other version qualifiers (RELEASE, FINAL, GA).

Behavior after fix:

  • 12.10.2 == 12.10.2.jre11
  • 12.10.2.jre11 == 12.10.2.jdk17
  • 12.10.1 < 12.10.2.jre11 ✅ (actual version differences preserved)

Testing

  • Added 7 test cases covering JRE/JDK qualifier scenarios
  • All existing version package tests pass (no regressions)
  • Test coverage includes: equal versions with different qualifiers, qualifier combinations, and real version differences across qualified versions

References

  • Upstream library: github.com/masahiro331/go-mvn-version (does not normalize runtime qualifiers)
  • Affected packages: Maven/Java libraries that use JRE/JDK qualifiers in distribution names

@jamestexas
fix: normalize java runtime qualifiers in maven version comparisons
6966b48 
Signed-off-by: James Gardner <james.gardner@chainguard.dev>
@jamestexas
Copy link
Copy Markdown
Contributor Author

jamestexas commented Nov 7, 2025
edited
Loading

When researching this a bit more, I found that the suffix is non-standard for Maven parsing. It supports . as a delimiter, but treats jre11 as an unknown qualifier that sorts after known ones (alpha, beta, rc, ga, etc.), which breaks version matching.

I believe the fix is still appropriate, but let me know if I should be approaching this differently!

@jamie-albert jamie-albert mentioned this pull request Nov 7, 2025
Merged
@wagoodman
make case insensitive, add more tests, compile regex as global
083f104 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman enabled auto-merge (squash) November 14, 2025 20:40
@wagoodman wagoodman added the bug Something isn't working label Nov 14, 2025
@wagoodman wagoodman merged commit d743c07 into anchore:main Nov 14, 2025
12 checks passed
@jamestexas
Copy link
Copy Markdown
Contributor Author

jamestexas commented Nov 14, 2025

Thank you for the review and help!

@joshbressers joshbressers mentioned this pull request Nov 14, 2025
Closed
@willmurphyscode willmurphyscode linked an issue Nov 14, 2025 that may be closed by this pull request
Unnormalized fix version triggers false-positive in mssql-jdbc #3042
Closed
@BrewTestBot BrewTestBot mentioned this pull request Nov 17, 2025
Merged
@kzantow kzantow mentioned this pull request Nov 19, 2025
Closed
spiffcs added a commit to joonas/grype that referenced this pull request Nov 20, 2025
@spiffcs
Merge branch 'main' into chore/replace-archiver-with-archives
f76df12 
* main:
  chore(deps): update tools to latest versions (anchore#3051)
  chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 (anchore#3059)
  chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 (anchore#3060)
  chore(deps): bump github/codeql-action from 4.31.2 to 4.31.4 (anchore#3061)
  chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 (anchore#3063)
  chore(deps): bump actions/setup-go in /.github/actions/bootstrap (anchore#3064)
  chore(deps): update anchore dependencies (anchore#3055)
  test: update quality gate db to latest version (anchore#3053)
  fix: normalize java runtime qualifiers in maven version comparisons (anchore#3034)
  chore(deps): update tools to latest versions (anchore#3045)
  fix: junit template use CDATA block to prevent XML parse errors (anchore#3019)
  feat: add basic VEX support for SBOM and other sources
  chore(deps): bump golang.org/x/tools from 0.38.0 to 0.39.0 (anchore#3046)
  chore(deps): bump github.com/opencontainers/selinux (anchore#3044)
  chore(deps): bump github.com/olekukonko/tablewriter from 1.1.0 to 1.1.1 (anchore#3039)
  keep nested loggers labeled (anchore#3040)
kbsteere added a commit to kbsteere/wolfictl that referenced this pull request Dec 2, 2025
@kbsteere
bug: update grype to fix java jar suffix issue; see upstream patch an…
38df837 
…chore/grype#3034

Signed-off-by: Kyle Steere <kyle.steere@chainguard.dev>
@kbsteere kbsteere mentioned this pull request Dec 2, 2025
Merged
@bdemeo12
Copy link
Copy Markdown

bdemeo12 commented Jan 13, 2026

Hi Grype!

I'm looking to understand your fix for this issue. From my understanding, jre8 and jre11 are different java runtimes, so it's possible that they have different code/dependencies to support the different runtimes, meaning that a bug in jre8, could not appear in jre11, and vice versa.

By stripping all jreXX and jdkXX suffixes before comparing versions, is it possible that this could result in over reporting vulns?

Thank you!

jnewton03 added a commit to liquibase/build-logic that referenced this pull request Feb 23, 2026
@jnewton03 @claude
Upgrade anchore/scan-action from v5 to v7.3.2 (Grype v0.107.1)
31ff8da 
The pinned scan-action (v5) bundled Grype v0.85.0 which has a
false-positive for CVE-2025-59250 on mssql-jdbc due to Microsoft's
non-standard version metadata. This was fixed in Grype v0.104.1+
(anchore/grype#3034). Upgrading to scan-action v7.3.2 which bundles
Grype v0.107.1 resolves the false positive at the scanner level.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jnewton03 added a commit to liquibase/build-logic that referenced this pull request Feb 23, 2026
@jnewton03 @claude
Upgrade anchore/scan-action from v5 to v7.3.2 (Grype v0.107.1)
e532d68 
The pinned scan-action (v5) bundled Grype v0.85.0 which has a
false-positive for CVE-2025-59250 on mssql-jdbc due to Microsoft's
non-standard version metadata. This was fixed in Grype v0.104.1+
(anchore/grype#3034). Upgrading to scan-action v7.3.2 which bundles
Grype v0.107.1 resolves the false positive at the scanner level.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jnewton03 jnewton03 mentioned this pull request Feb 23, 2026
Merged
3 tasks
jnewton03 added a commit to liquibase/build-logic that referenced this pull request Feb 23, 2026
@jnewton03 @claude
Upgrade anchore/scan-action from v5 to v7.3.2 (Grype v0.107.1) (#493)
df52007 
The pinned scan-action (v5) bundled Grype v0.85.0 which has a
false-positive for CVE-2025-59250 on mssql-jdbc due to Microsoft's
non-standard version metadata. This was fixed in Grype v0.104.1+
(anchore/grype#3034). Upgrading to scan-action v7.3.2 which bundles
Grype v0.107.1 resolves the false positive at the scanner level.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unnormalized fix version triggers false-positive in mssql-jdbc

3 participants

@jamestexas @bdemeo12 @wagoodman