feat: 1944 - update purl generation to use a consistent groupID

syft/pkg/cataloger/common/cpe/java.go

@@ -22,10 +22,10 @@ var (
 	}
 
 	primaryJavaManifestGroupIDFields = []string{
+		"Bundle-SymbolicName",
 		"Extension-Name",
 		"Specification-Vendor",
 		"Implementation-Vendor",
-		"Bundle-SymbolicName",
 		"Implementation-Vendor-Id",
 		"Implementation-Title",
 		"Bundle-Activator",
@@ -168,7 +168,7 @@ func artifactIDFromJavaPackage(p pkg.Package) string {
 	}
 
 	artifactID := strings.TrimSpace(metadata.PomProperties.ArtifactID)
-	if startsWithTopLevelDomain(artifactID) && len(strings.Split(artifactID, ".")) > 1 {
+	if looksLikeGroupID(artifactID) && len(strings.Split(artifactID, ".")) > 1 {
 		// there is a strong indication that the artifact ID is really a group ID, don't use it
 		return ""
 	}
@@ -184,6 +184,113 @@ func GroupIDsFromJavaPackage(p pkg.Package) (groupIDs []string) {
 	return GroupIDsFromJavaMetadata(p.Name, metadata)
 }
 
+// GroupIDFromJavaPackage returns the authoritative group ID for a Java package.
+// The order of precedence is:
+// 1. The group ID from the POM properties
+// 2. The group ID from the POM project
+// 3. The group ID from a select map of known group IDs
+// 3. The group ID from the Java manifest
+func GroupIDFromJavaMetadata(pkgName string, metadata pkg.JavaMetadata) (groupID string) {
+	if groupID = groupIDFromPomProperties(metadata.PomProperties); groupID != "" {
+		return groupID
+	}
+
+	if groupID = groupIDFromPomProject(metadata.PomProject); groupID != "" {
+		return groupID
+	}
+
+	if groupID = groupIDFromKnownPackageList(pkgName); groupID != "" {
+		return groupID
+	}
+
+	if groupID = groupIDFromJavaManifest(metadata.Manifest); groupID != "" {
+		return groupID
+	}
+
+	return groupID
+}
+
+func groupIDFromKnownPackageList(pkgName string) (groupID string) {
+	if groupID, ok := defaultArtifactIDToGroupID[pkgName]; ok {
+		return groupID
+	}
+	return groupID
+}
+
+func groupIDFromJavaManifest(manifest *pkg.JavaManifest) (groupID string) {
+	if manifest == nil {
+		return groupID
+	}
+
+	groupIDS := getManifestFieldGroupIDs(manifest, primaryJavaManifestGroupIDFields)
+	// assumes that primaryJavaManifestNameFields are ordered by priority
+	if len(groupIDS) != 0 {
+		return groupIDS[0]
+	}
+
+	groupIDS = getManifestFieldGroupIDs(manifest, secondaryJavaManifestGroupIDFields)
+
+	if len(groupIDS) != 0 {
+		return groupIDS[0]
+	}
+
+	return groupID
+}
+
+func groupIDFromPomProperties(properties *pkg.PomProperties) (groupID string) {
+	if properties == nil {
+		return groupID
+	}
+
+	if looksLikeGroupID(properties.GroupID) {
+		return cleanGroupID(properties.GroupID)
+	}
+
+	// sometimes the publisher puts the group ID in the artifact ID field unintentionally
+	if looksLikeGroupID(properties.ArtifactID) && len(strings.Split(properties.ArtifactID, ".")) > 1 {
+		// there is a strong indication that the artifact ID is really a group ID
+		return cleanGroupID(properties.ArtifactID)
+	}
+
+	return groupID
+}
+
+func groupIDFromPomProject(project *pkg.PomProject) (groupID string) {
+	if project == nil {
+		return groupID
+	}
+
+	// check the project details
+	if looksLikeGroupID(project.GroupID) {
+		return cleanGroupID(project.GroupID)
+	}
+
+	// sometimes the publisher puts the group ID in the artifact ID field unintentionally
+	if looksLikeGroupID(project.GroupID) && len(strings.Split(project.ArtifactID, ".")) > 1 {
+		// there is a strong indication that the artifact ID is really a group ID
+		return cleanGroupID(project.ArtifactID)
+	}
+
+	// let's check the parent details
+	// if the current project does not have a group ID, but the parent does, we'll use the parent's group ID
+	if project.Parent != nil {
+		if looksLikeGroupID(project.Parent.GroupID) {
+			return cleanGroupID(project.Parent.GroupID)
+		}
+
+		// sometimes the publisher puts the group ID in the artifact ID field unintentionally
+		if looksLikeGroupID(project.Parent.ArtifactID) && len(strings.Split(project.Parent.ArtifactID, ".")) > 1 {
+			// there is a strong indication that the artifact ID is really a group ID
+			return cleanGroupID(project.Parent.ArtifactID)
+		}
+	}
+
+	return groupID
+}
+
+// GroupIDsFromJavaMetadata returns the possible group IDs for a Java package
+// This function is similar to GroupIDFromJavaPackage, but returns all possible group IDs and is less strict
+// It is used as a way to generate possible candidates for CPE matching.
 func GroupIDsFromJavaMetadata(pkgName string, metadata pkg.JavaMetadata) (groupIDs []string) {
 	groupIDs = append(groupIDs, groupIDsFromPomProperties(metadata.PomProperties)...)
 	groupIDs = append(groupIDs, groupIDsFromPomProject(metadata.PomProject)...)
@@ -302,3 +409,7 @@ func removeOSCIDirectives(groupID string) string {
 func startsWithTopLevelDomain(value string) bool {
 	return internal.HasAnyOfPrefixes(value, domains...)
 }
+
+func looksLikeGroupID(value string) bool {
+	return strings.Contains(value, ".")
+}

syft/pkg/cataloger/java/archive_parser.go

@@ -12,6 +12,7 @@ import (
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/common/cpe"
 	"github.com/anchore/syft/syft/pkg/cataloger/generic"
 )
 
@@ -62,11 +63,11 @@ func parseJavaArchive(_ file.Resolver, _ *generic.Environment, reader file.Locat
 }
 
 // uniquePkgKey creates a unique string to identify the given package.
-func uniquePkgKey(p *pkg.Package) string {
+func uniquePkgKey(groupID string, p *pkg.Package) string {
 	if p == nil {
 		return ""
 	}
-	return fmt.Sprintf("%s|%s", p.Name, p.Version)
+	return fmt.Sprintf("%s|%s|%s", groupID, p.Name, p.Version)
 }
 
 // newJavaArchiveParser returns a new java archive parser object for the given archive. Can be configured to discover
@@ -376,7 +377,13 @@ func pomProjectByParentPath(archivePath string, location file.Location, extractP
 func newPackageFromMavenData(pomProperties pkg.PomProperties, pomProject *pkg.PomProject, parentPkg *pkg.Package, location file.Location) *pkg.Package {
 	// keep the artifact name within the virtual path if this package does not match the parent package
 	vPathSuffix := ""
-	if !strings.HasPrefix(pomProperties.ArtifactID, parentPkg.Name) {
+	groupID := ""
+	if parentMetadata, ok := parentPkg.Metadata.(pkg.JavaMetadata); ok {
+		groupID = cpe.GroupIDFromJavaMetadata(parentPkg.Name, parentMetadata)
+	}
+	parentKey := fmt.Sprintf("%s:%s:%s", groupID, parentPkg.Name, parentPkg.Version)
+	pomProjectKey := fmt.Sprintf("%s:%s:%s", pomProperties.GroupID, pomProperties.ArtifactID, pomProperties.Version)
+	if parentKey != pomProjectKey {
 		vPathSuffix += ":" + pomProperties.ArtifactID
 	}
 	virtualPath := location.AccessPath() + vPathSuffix
@@ -408,36 +415,45 @@ func newPackageFromMavenData(pomProperties pkg.PomProperties, pomProject *pkg.Po
 }
 
 func packageIdentitiesMatch(p pkg.Package, parentPkg *pkg.Package) bool {
-	// the name/version pair matches...
-	if uniquePkgKey(&p) == uniquePkgKey(parentPkg) {
-		return true
-	}
+	childMetadata, childOk := p.Metadata.(pkg.JavaMetadata)
+	parentMetadata, parentOk := parentPkg.Metadata.(pkg.JavaMetadata)
+	if !childOk || !parentOk {
+		switch {
+		case !childOk:
+			log.WithFields("package", p.String()).Debug("unable to extract java metadata to check for matching package identity for package: %s", p.Name)
+		case !parentOk:
+			log.WithFields("package", parentPkg.String()).Debug("unable to extract java metadata to check for matching package identity for package: %s", parentPkg.Name)
+		}
+		// if we can't extract metadata, we can check for matching identities via the package name
+		// this is not ideal, but it's better than nothing - this should not be used if we have Metadata
 
-	metadata, ok := p.Metadata.(pkg.JavaMetadata)
-	if !ok {
-		log.WithFields("package", p.String()).Warn("unable to extract java metadata to check for matching package identity")
-		return false
+		return uniquePkgKey("", &p) == uniquePkgKey("", parentPkg)
 	}
 
-	parentMetadata, ok := parentPkg.Metadata.(pkg.JavaMetadata)
-	if !ok {
-		log.WithFields("package", p.String()).Warn("unable to extract java metadata from parent for verifying virtual path")
-		return false
+	// try to determine identity with the metadata
+	childGroupID := cpe.GroupIDFromJavaMetadata(p.Name, childMetadata)
+	parentGroupID := cpe.GroupIDFromJavaMetadata(parentPkg.Name, parentMetadata)
+	if uniquePkgKey(childGroupID, &p) == uniquePkgKey(parentGroupID, parentPkg) {
+		return true
 	}
 
 	// the virtual path matches...
-	if parentMetadata.VirtualPath == metadata.VirtualPath {
+	if parentMetadata.VirtualPath == childMetadata.VirtualPath {
 		return true
 	}
 
 	// the pom artifactId is the parent name
 	// note: you CANNOT use name-is-subset-of-artifact-id or vice versa --this is too generic. Shaded jars are a good
 	// example of this: where the package name is "cloudbees-analytics-segment-driver" and a child is "analytics", but
 	// they do not indicate the same package.
-	if metadata.PomProperties.ArtifactID != "" && parentPkg.Name == metadata.PomProperties.ArtifactID {
-		return true
+	// NOTE: artifactId might not be a good indicator of uniqueness since archives can contain forks with the same name
+	// from different groups (e.g. "org.glassfish.jaxb.jaxb-core" and "com.sun.xml.bind.jaxb-core")
+	// we will use this check as a last resort
+	if childMetadata.PomProperties != nil {
+		if childMetadata.PomProperties.ArtifactID != "" && parentPkg.Name == childMetadata.PomProperties.ArtifactID {
+			return true
+		}
 	}
-
 	return false
 }
 

syft/pkg/cataloger/java/archive_parser_test.go

@@ -894,44 +894,6 @@ func Test_newPackageFromMavenData(t *testing.T) {
 			},
 			expectedPackage: nil,
 		},
-		{
-			name: "child matches parent by virtual path -- override name and version",
-			props: pkg.PomProperties{
-				Name:       "some-name",
-				GroupID:    "some-group-id",
-				ArtifactID: "some-parent-name", // note: DOES NOT match parent package
-				Version:    "3.0",              // note: DOES NOT match parent package
-			},
-			parent: &pkg.Package{
-				Name:    "", // note: empty, so should not be matched on
-				Version: "", // note: empty, so should not be matched on
-				Type:    pkg.JavaPkg,
-				Metadata: pkg.JavaMetadata{
-					VirtualPath:   virtualPath, // note: matching virtual path
-					Manifest:      nil,
-					PomProperties: nil,
-					Parent:        nil,
-				},
-			},
-			expectedParent: pkg.Package{
-				Name:    "some-parent-name",
-				Version: "3.0",
-				Type:    pkg.JavaPkg,
-				Metadata: pkg.JavaMetadata{
-					VirtualPath: virtualPath,
-					Manifest:    nil,
-					// note: we attach the discovered pom properties data
-					PomProperties: &pkg.PomProperties{
-						Name:       "some-name",
-						GroupID:    "some-group-id",
-						ArtifactID: "some-parent-name",
-						Version:    "3.0",
-					},
-					Parent: nil,
-				},
-			},
-			expectedPackage: nil,
-		},
 		{
 			name: "child matches parent by artifact id",
 			props: pkg.PomProperties{

syft/pkg/cataloger/java/package_url.go

@@ -9,9 +9,9 @@ import (
 // PackageURL returns the PURL for the specific java package (see https://github.com/package-url/purl-spec)
 func packageURL(name, version string, metadata pkg.JavaMetadata) string {
 	var groupID = name
-	groupIDs := cpe.GroupIDsFromJavaMetadata(name, metadata)
-	if len(groupIDs) > 0 {
-		groupID = groupIDs[0]
+
+	if gID := cpe.GroupIDFromJavaMetadata(name, metadata); gID != "" {
+		groupID = gID
 	}
 
 	pURL := packageurl.NewPackageURL(

syft/pkg/cataloger/java/parse_pom_xml.go

@@ -178,7 +178,9 @@ func resolveProperty(pom gopom.Project, property *string) string {
 						pomValueType = pomValue.Type()
 						if pomValueType.Kind() == reflect.Ptr {
 							pomValue = pomValue.Elem()
-							pomValueType = pomValue.Type()
+							if !pomValue.IsZero() {
+								pomValueType = pomValue.Type()
+							}
 						}
 						if partNum == numParts-1 {
 							return fmt.Sprintf("%v", pomValue.Interface())