Handling unresolved or non-standard version references in the Amazon Inspector SBOM Generator - Amazon Inspector
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Handling unresolved or non-standard version references in the Amazon Inspector SBOM Generator

The Amazon Inspector SBOM Generator locates and parses supported artifacts within a system by identifying dependencies directly from source files. It's not a package manager and does not resolve version ranges, infer versions based on dynamic references, or handle registry lookups. It collects dependencies only as they're defined in project source artifacts. In many cases, dependencies in package manifests, such as package.json, pom.xml, or requirements.txt, are specified using unresolved or range-based versions. This topic includes examples of how these dependencies might look.

Recommendations

The Amazon Inspector SBOM Generator extracts dependencies from source artifacts, but doesn't resolve or interpret version ranges or dynamic references. For more accurate vulnerability scanning and SBOMs, we recommend using resolved, semantic version identifiers in project dependencies.

Java

For Java, Maven projects can use version ranges to define dependencies in the pom.xml file.

<dependency> <groupId>org.inspector</groupId> <artifactId>inspector-api</artifactId> <version>(,1.0]</version> </dependency>

The range specifies that any version up to and including 1.0 is acceptable. However, if a version is not a resolved version, the Amazon Inspector SBOM Generator won't collect it because it cannot be mapped to a specific release.

JavaScript

For JavaScript, the package.json file can include version ranges that resemble the following:

"dependencies": { "ky": "^1.2.0", "registry-auth-token": "^5.0.2", "registry-url": "^6.0.1", "semver": "^7.6.0" }

The ^ operator specifies that any version greater than or equal to the specified version is acceptable. However, if the specified version is not a resolved version, the Amazon Inspector SBOM Generator won't collect it becaue doing so can lead to false positives during vulnerability detection.

Python

For Python, the requirements.txt file can include entries with a boolean expression.

requests>=1.0.0

The >= operator specifies that any version greater than or equal to 1.0.0 is acceptable. Because this particular expression doesn't specify an exact version, the Amazon Inspector SBOM Generator cannot reliably collect a version for vulnerability analysis.

The Amazon Inspector SBOM Generator doesn't support non-standard or ambiguous version identifiers, such as beta, latest, or snapshot.

pkg:maven/org.example.com/testmaven@1.0.2%20Beta-RC-1_Release
Note

The use of a non-standard suffix, such as Beta-RC-1_Release, isn't compliant with standard semantic versioning and cannot be assessed for vulnerabilities within the Amazon Inspector detection engine.