From 5a90af12856078109b736298b49776e3886cdd68 Mon Sep 17 00:00:00 2001
From: William Murphy <will.murphy@anchore.com>
Date: Thu, 24 Aug 2023 13:28:40 -0400
Subject: [PATCH] Fix: don't validate pom declared group (#2054)

Signed-off-by: Will Murphy <will.murphy@anchore.com>
---
 syft/pkg/cataloger/java/package_url.go      |  6 +-
 syft/pkg/cataloger/java/package_url_test.go | 86 +++++++++++++++++++++
 2 files changed, 89 insertions(+), 3 deletions(-)

diff --git a/syft/pkg/cataloger/java/package_url.go b/syft/pkg/cataloger/java/package_url.go
index d29f1ae3c06..df1baf791c8 100644
--- a/syft/pkg/cataloger/java/package_url.go
+++ b/syft/pkg/cataloger/java/package_url.go
@@ -84,7 +84,7 @@ func groupIDFromPomProperties(properties *pkg.PomProperties) (groupID string) {
 		return groupID
 	}
 
-	if looksLikeGroupID(properties.GroupID) {
+	if properties.GroupID != "" {
 		return cleanGroupID(properties.GroupID)
 	}
 
@@ -103,7 +103,7 @@ func groupIDFromPomProject(project *pkg.PomProject) (groupID string) {
 	}
 
 	// check the project details
-	if looksLikeGroupID(project.GroupID) {
+	if project.GroupID != "" {
 		return cleanGroupID(project.GroupID)
 	}
 
@@ -116,7 +116,7 @@ func groupIDFromPomProject(project *pkg.PomProject) (groupID string) {
 	// let's check the parent details
 	// if the current project does not have a group ID, but the parent does, we'll use the parent's group ID
 	if project.Parent != nil {
-		if looksLikeGroupID(project.Parent.GroupID) {
+		if project.Parent.GroupID != "" {
 			return cleanGroupID(project.Parent.GroupID)
 		}
 
diff --git a/syft/pkg/cataloger/java/package_url_test.go b/syft/pkg/cataloger/java/package_url_test.go
index 665827a2dcc..7ffb0a365b1 100644
--- a/syft/pkg/cataloger/java/package_url_test.go
+++ b/syft/pkg/cataloger/java/package_url_test.go
@@ -10,10 +10,12 @@ import (
 
 func Test_packageURL(t *testing.T) {
 	tests := []struct {
+		name   string
 		pkg    pkg.Package
 		expect string
 	}{
 		{
+			name: "maven",
 			pkg: pkg.Package{
 				Name:         "example-java-app-maven",
 				Version:      "0.1.0",
@@ -38,6 +40,90 @@ func Test_packageURL(t *testing.T) {
 			},
 			expect: "pkg:maven/org.anchore/example-java-app-maven@0.1.0",
 		},
+		{
+			name: "POM properties have explicit group ID without . in it",
+			pkg: pkg.Package{
+				Name:         "example-java-app-maven",
+				Version:      "0.1.0",
+				Language:     pkg.Java,
+				Type:         pkg.JavaPkg,
+				MetadataType: pkg.JavaMetadataType,
+				Metadata: pkg.JavaMetadata{
+					VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar",
+					Manifest: &pkg.JavaManifest{
+						Main: map[string]string{
+							"Manifest-Version": "1.0",
+						},
+					},
+					PomProperties: &pkg.PomProperties{
+						Path:       "META-INF/maven/org.anchore/example-java-app-maven/pom.properties",
+						GroupID:    "commons",
+						ArtifactID: "example-java-app-maven",
+						Version:    "0.1.0",
+						Extra:      make(map[string]string),
+					},
+				},
+			},
+			expect: "pkg:maven/commons/example-java-app-maven@0.1.0",
+		},
+		{
+			name: "POM project has explicit group ID without . in it",
+			pkg: pkg.Package{
+				Name:         "example-java-app-maven",
+				Version:      "0.1.0",
+				Language:     pkg.Java,
+				Type:         pkg.JavaPkg,
+				MetadataType: pkg.JavaMetadataType,
+				Metadata: pkg.JavaMetadata{
+					VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar",
+					Manifest: &pkg.JavaManifest{
+						Main: map[string]string{
+							"Manifest-Version": "1.0",
+						},
+					},
+					PomProperties: &pkg.PomProperties{
+						Path:       "META-INF/maven/org.anchore/example-java-app-maven/pom.properties",
+						ArtifactID: "example-java-app-maven",
+						Version:    "0.1.0",
+						Extra:      make(map[string]string),
+					},
+					PomProject: &pkg.PomProject{
+						GroupID: "commons",
+					},
+				},
+			},
+			expect: "pkg:maven/commons/example-java-app-maven@0.1.0",
+		},
+		{
+			name: "POM project has explicit group ID without . in it",
+			pkg: pkg.Package{
+				Name:         "example-java-app-maven",
+				Version:      "0.1.0",
+				Language:     pkg.Java,
+				Type:         pkg.JavaPkg,
+				MetadataType: pkg.JavaMetadataType,
+				Metadata: pkg.JavaMetadata{
+					VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar",
+					Manifest: &pkg.JavaManifest{
+						Main: map[string]string{
+							"Manifest-Version": "1.0",
+						},
+					},
+					PomProperties: &pkg.PomProperties{
+						Path:       "META-INF/maven/org.anchore/example-java-app-maven/pom.properties",
+						ArtifactID: "example-java-app-maven",
+						Version:    "0.1.0",
+						Extra:      make(map[string]string),
+					},
+					PomProject: &pkg.PomProject{
+						Parent: &pkg.PomParent{
+							GroupID: "parent",
+						},
+					},
+				},
+			},
+			expect: "pkg:maven/parent/example-java-app-maven@0.1.0",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.expect, func(t *testing.T) {