From 4c2ba1a7dba4e17091cfbf75d1676b29dab17f23 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Wed, 23 Aug 2023 15:27:20 -0400 Subject: [PATCH 1/4] Initial fix Signed-off-by: Will Murphy --- syft/pkg/cataloger/java/package_url.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/syft/pkg/cataloger/java/package_url.go b/syft/pkg/cataloger/java/package_url.go index d29f1ae3c06..8565b15e9d1 100644 --- a/syft/pkg/cataloger/java/package_url.go +++ b/syft/pkg/cataloger/java/package_url.go @@ -84,7 +84,7 @@ func groupIDFromPomProperties(properties *pkg.PomProperties) (groupID string) { return groupID } - if looksLikeGroupID(properties.GroupID) { + if properties.GroupID != "" { return cleanGroupID(properties.GroupID) } From 5e36dac527eab97b0981c6ea284878daaf0deb0a Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Wed, 23 Aug 2023 15:34:34 -0400 Subject: [PATCH 2/4] Add unit test for explicit pom group id Signed-off-by: Will Murphy --- syft/pkg/cataloger/java/package_url_test.go | 28 +++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/syft/pkg/cataloger/java/package_url_test.go b/syft/pkg/cataloger/java/package_url_test.go index 665827a2dcc..d4618562d4e 100644 --- a/syft/pkg/cataloger/java/package_url_test.go +++ b/syft/pkg/cataloger/java/package_url_test.go @@ -10,10 +10,12 @@ import ( func Test_packageURL(t *testing.T) { tests := []struct { + name string pkg pkg.Package expect string }{ { + name: "maven", pkg: pkg.Package{ Name: "example-java-app-maven", Version: "0.1.0", @@ -38,6 +40,32 @@ func Test_packageURL(t *testing.T) { }, expect: "pkg:maven/org.anchore/example-java-app-maven@0.1.0", }, + { + name: "POM has explicit group ID without . in it", + pkg: pkg.Package{ + Name: "example-java-app-maven", + Version: "0.1.0", + Language: pkg.Java, + Type: pkg.JavaPkg, + MetadataType: pkg.JavaMetadataType, + Metadata: pkg.JavaMetadata{ + VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar", + Manifest: &pkg.JavaManifest{ + Main: map[string]string{ + "Manifest-Version": "1.0", + }, + }, + PomProperties: &pkg.PomProperties{ + Path: "META-INF/maven/org.anchore/example-java-app-maven/pom.properties", + GroupID: "commons", + ArtifactID: "example-java-app-maven", + Version: "0.1.0", + Extra: make(map[string]string), + }, + }, + }, + expect: "pkg:maven/commons/example-java-app-maven@0.1.0", + }, } for _, tt := range tests { t.Run(tt.expect, func(t *testing.T) { From 559cf30750835bd371e79f94d7c368f70be66241 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Wed, 23 Aug 2023 17:13:02 -0400 Subject: [PATCH 3/4] also trust group ID from pom project Signed-off-by: Will Murphy --- syft/pkg/cataloger/java/package_url.go | 2 +- syft/pkg/cataloger/java/package_url_test.go | 30 ++++++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/syft/pkg/cataloger/java/package_url.go b/syft/pkg/cataloger/java/package_url.go index 8565b15e9d1..720067304b5 100644 --- a/syft/pkg/cataloger/java/package_url.go +++ b/syft/pkg/cataloger/java/package_url.go @@ -103,7 +103,7 @@ func groupIDFromPomProject(project *pkg.PomProject) (groupID string) { } // check the project details - if looksLikeGroupID(project.GroupID) { + if project.GroupID != "" { return cleanGroupID(project.GroupID) } diff --git a/syft/pkg/cataloger/java/package_url_test.go b/syft/pkg/cataloger/java/package_url_test.go index d4618562d4e..ae340da783e 100644 --- a/syft/pkg/cataloger/java/package_url_test.go +++ b/syft/pkg/cataloger/java/package_url_test.go @@ -41,7 +41,7 @@ func Test_packageURL(t *testing.T) { expect: "pkg:maven/org.anchore/example-java-app-maven@0.1.0", }, { - name: "POM has explicit group ID without . in it", + name: "POM properties have explicit group ID without . in it", pkg: pkg.Package{ Name: "example-java-app-maven", Version: "0.1.0", @@ -66,6 +66,34 @@ func Test_packageURL(t *testing.T) { }, expect: "pkg:maven/commons/example-java-app-maven@0.1.0", }, + { + name: "POM project has explicit group ID without . in it", + pkg: pkg.Package{ + Name: "example-java-app-maven", + Version: "0.1.0", + Language: pkg.Java, + Type: pkg.JavaPkg, + MetadataType: pkg.JavaMetadataType, + Metadata: pkg.JavaMetadata{ + VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar", + Manifest: &pkg.JavaManifest{ + Main: map[string]string{ + "Manifest-Version": "1.0", + }, + }, + PomProperties: &pkg.PomProperties{ + Path: "META-INF/maven/org.anchore/example-java-app-maven/pom.properties", + ArtifactID: "example-java-app-maven", + Version: "0.1.0", + Extra: make(map[string]string), + }, + PomProject: &pkg.PomProject{ + GroupID: "commons", + }, + }, + }, + expect: "pkg:maven/commons/example-java-app-maven@0.1.0", + }, } for _, tt := range tests { t.Run(tt.expect, func(t *testing.T) { From d76a9d4e2e88c4ed2e188850024135ddc48364f3 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Wed, 23 Aug 2023 17:20:09 -0400 Subject: [PATCH 4/4] also trust group ID of POM parent Signed-off-by: Will Murphy --- syft/pkg/cataloger/java/package_url.go | 2 +- syft/pkg/cataloger/java/package_url_test.go | 30 +++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/syft/pkg/cataloger/java/package_url.go b/syft/pkg/cataloger/java/package_url.go index 720067304b5..df1baf791c8 100644 --- a/syft/pkg/cataloger/java/package_url.go +++ b/syft/pkg/cataloger/java/package_url.go @@ -116,7 +116,7 @@ func groupIDFromPomProject(project *pkg.PomProject) (groupID string) { // let's check the parent details // if the current project does not have a group ID, but the parent does, we'll use the parent's group ID if project.Parent != nil { - if looksLikeGroupID(project.Parent.GroupID) { + if project.Parent.GroupID != "" { return cleanGroupID(project.Parent.GroupID) } diff --git a/syft/pkg/cataloger/java/package_url_test.go b/syft/pkg/cataloger/java/package_url_test.go index ae340da783e..7ffb0a365b1 100644 --- a/syft/pkg/cataloger/java/package_url_test.go +++ b/syft/pkg/cataloger/java/package_url_test.go @@ -94,6 +94,36 @@ func Test_packageURL(t *testing.T) { }, expect: "pkg:maven/commons/example-java-app-maven@0.1.0", }, + { + name: "POM project has explicit group ID without . in it", + pkg: pkg.Package{ + Name: "example-java-app-maven", + Version: "0.1.0", + Language: pkg.Java, + Type: pkg.JavaPkg, + MetadataType: pkg.JavaMetadataType, + Metadata: pkg.JavaMetadata{ + VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar", + Manifest: &pkg.JavaManifest{ + Main: map[string]string{ + "Manifest-Version": "1.0", + }, + }, + PomProperties: &pkg.PomProperties{ + Path: "META-INF/maven/org.anchore/example-java-app-maven/pom.properties", + ArtifactID: "example-java-app-maven", + Version: "0.1.0", + Extra: make(map[string]string), + }, + PomProject: &pkg.PomProject{ + Parent: &pkg.PomParent{ + GroupID: "parent", + }, + }, + }, + }, + expect: "pkg:maven/parent/example-java-app-maven@0.1.0", + }, } for _, tt := range tests { t.Run(tt.expect, func(t *testing.T) {