MuJS is a Javascript interpreter, which doesn't exist in the list of packages for Alpine linux (latest release 3.14 as of now). However, when one installs an OpenJDK11 package on Alpine, as shown below, it does seem to get picked up by security scanning tools:
apk add openjdk11-jre
Where can I find the list of all Linux components that get bundled/ installed along with the installation of OpenJDK11?
Where can I find the list of all Linux components that get bundled/ installed along with the installation of OpenJDK11?
For the list of dependent packages that are installed along with openjdk11-jre, you can refer to the package page. You could also see them when installing the package with apk.
To get the list of installed java modules, run: java --list-modules.
To get the complete list of files that are installed with this package and its dependent packages, you could dump the list of all files of the container:
sudo docker export <container-id> | tar tfv - > out.txt
Then, do the same for the vanilla Alpine 3.14 image, and compare the outputs. You can see the diff here.
However, when one installs an OpenJDK11 package on Alpine, as shown below, it does seem to get picked up by security scanning tools.
This is most likely a false positive, based on available evidence:
mujs executable, libmujs.a, libmujs.so or any of the source filesmujs, which gave 0 resultsMy suggestion is to contact the security scan tool vendor and report this issue as a potential false positive.