-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: update java cataloger to include similar child packages, correct PURL, and correct GroupID #1956
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Benchmark Test ResultsBenchmark results from the latest changes vs base branch
|
spiffcs
changed the title
fix: update groupID to stable sort for selection
fix: update java archive cataloger to include child packages when different metadata
Aug 7, 2023
spiffcs
changed the title
fix: update java archive cataloger to include child packages when different metadata
fix: update java archive cataloger to include similar child packages
Aug 7, 2023
spiffcs
force-pushed
the
1944-inconsistent-purl-generation
branch
from
August 8, 2023 13:17
a10a433
to
8a9d91b
Compare
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs
changed the title
fix: update java archive cataloger to include similar child packages
fix: update java cataloger to include similar child packages, correct PURL, and correct GroupID
Aug 14, 2023
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs
force-pushed
the
1944-inconsistent-purl-generation
branch
from
August 16, 2023 13:45
b777224
to
1faff35
Compare
spiffcs
commented
Aug 16, 2023
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Splitting this into two PR and merging in upstream fixes from #2032 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR aims to improve 3 related aspects of syft's java cataloging.
Improve PURL generation. In some cases syft is appending the artifact ID to the middle section (GroupID) of a PURL
a. EX:
pkg:maven/org.apache.xalan/[email protected]
should bepkg:maven/org.apache/[email protected]
Improve
GroupID
detection. Currently syft does not use any hierarchy forGroupID
detection and treats all sources as equal. It does already treat fields from files with priority. We should try to obtain a GroupID answer fromPom Properties
, then thePom Project
and finally, if a GroupID has not been found, theManifest
.Manifest
should not return an answer if one was found inPomProject
was, andPomProject
should not return a GroupID answer ifPomProperties
found one.Syft eliminates java packages as duplicates if the package names match. With the enhanced GroupID detection we can extend this duplicate elimination to make sure syft is not eliminating packages with similar names, but different GroupID.
vPathSuffix += ":" + pomProperties.ArtifactID
, which just uses the ArtifactID, SBOM consumers will see the full path of the package's properties used for package creation Ex:META-INF/maven/org.glassfish.jaxb/jaxb-core/pom.properties
. This allows for better identification for child packages that look identical, but are actually forks or similar clones:/casb.war:WEB-INF/lib/jaxb-core-2.2.11.jar:jaxb-core
/casb.war:WEB-INF/lib/jaxb-core-2.2.11.jar:META-INF/maven/org.glassfish.jaxb/jaxb-core