You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Native Image Inspect Tool extracts embedded Software Bill of Materials (SBOM) from native executables. The functionality for extracting class-level metadata is now deprecated.
11
+
The Native Image Inspect Tool extracts embedded Software Bill of Materials (SBOM) from native executables. The functionality for extracting class-level metadata is no longer supported.
12
12
13
13
## Extracting Embedded SBOM
14
14
15
15
Native Image can embed a SBOM at build time to detect any libraries that may be susceptible to known security vulnerabilities.
16
16
Native Image provides the `--enable-sbom` option to embed an SBOM into a native executable (only available in Oracle GraalVM).
17
17
18
-
The Native Image Inspect Tool can extract the compressed SBOM using the optional `--sbom` parameter, as shown in the command: `$JAVA_HOME/bin/native-image-inspect --sbom <path_to_binary>`.
18
+
The Native Image Inspect Tool can extract the compressed SBOM using the `--sbom` parameter, as shown in the command:
> The extraction of class-level metadata using `native-image-inspect` is deprecated. In GraalVM for JDK 24, a deprecation warning is printed to `stderr`, and this functionality will be removed in GraalVM for JDK 25. Please migrate to using [class-level SBOMs](../../security/SBOM.md#including-class-level-metadata-in-the-sbom) instead by passing `--enable-sbom=class-level,export` to the `native-image` builder, which generates an SBOM containing the same kind of class-level metadata information.
23
-
24
-
Native Image provides the Inspect Tool to list all classes, fields, and methods included in a native executable or a native shared library.
25
-
Run the command `$JAVA_HOME/bin/native-image-inspect <path_to_binary>` to list classes, methods, fields, and constructors in the JSON format that validates against the JSON schema defined in [`native-image-inspect-schema-v0.2.0.json`](assets/native-image-inspect-schema-v0.2.0.json) (only available in Oracle GraalVM).
26
-
27
-
The `native-image` builder, by default, includes metadata in the native executable which then enables the Inspect Tool to list the included methods.
28
-
29
-
The amount of data included is fairly minimal compared to the overall size of the native executable, however you can set the `-H:-IncludeMethodData` option to disable the metadata emission.
30
-
Images compiled with this option will not be able to be inspected by the tool.
23
+
The Native Image Inspect Tool previously supported listing the classes, fields, and methods included in a native executable or a native shared library.
24
+
This functionality is no longer supported for security reasons.
25
+
Migrate to using [class-level SBOMs](../../security/native-image.md#including-class-level-metadata-in-the-sbom) instead by passing `--enable-sbom=class-level,export` to the `native-image` builder, which generates an SBOM containing the same kind of class-level metadata information.
Copy file name to clipboardExpand all lines: docs/security/SBOM.md
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ The implementation constructs the SBOM by recovering all version information obs
18
18
The SBOM is compressed to limit the SBOM's impact on the native executable size.
19
19
The SBOM is stored in the `gzip` format with the exported `sbom` symbol referencing its start address and the `sbom_length` symbol referencing its size.
20
20
21
-
After embedding the compressed SBOM into the executable, the [Native Image Inspect Tool](../reference-manual/native-image/InspectTool.md) is able to extract the compressed SBOM using an optional`--sbom` parameter accessible through `$JAVA_HOME/bin/native-image-inspect --sbom <path_to_binary>` from both executables and shared libraries.
21
+
After embedding the compressed SBOM into the executable, the [Native Image Inspect Tool](../reference-manual/native-image/InspectTool.md) is able to extract the compressed SBOM using the`--sbom` parameter accessible through `$JAVA_HOME/bin/native-image-inspect --sbom <path_to_binary>` from both executables and shared libraries.
Copy file name to clipboardExpand all lines: substratevm/CHANGELOG.md
+1Lines changed: 1 addition & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,7 @@ This changelog summarizes major changes to GraalVM Native Image.
4
4
5
5
## GraalVM for JDK 25
6
6
* (GR-58668) Enabled [Whole-Program Sparse Conditional Constant Propagation (WP-SCCP)](https://github.com/oracle/graal/pull/9821) by default, improving the precision of points-to analysis in Native Image. This optimization enhances static analysis accuracy and scalability, potentially reducing the size of the final native binary.
7
+
* (GR-59313) Deprecated class-level metadata extraction using `native-image-inspect` and removed option `DumpMethodsData`. Use class-level SBOMs instead by passing `--enable-sbom=class-level,export` to the `native-image` builder. The default value of option `IncludeMethodData` was changed to `false`.
7
8
8
9
## GraalVM for JDK 24 (Internal Version 24.2.0)
9
10
* (GR-59717) Added `DuringSetupAccess.registerObjectReachabilityHandler` to allow registering a callback that is executed when an object of a specified type is marked as reachable during heap scanning.
@Option(help = "Verify type states computed by the static analysis at run time. This is useful when diagnosing problems in the static analysis, but reduces peak performance significantly.", type = OptionType.Debug)//
0 commit comments