Generated purls are different between runs of syft against the same image and artifact

[mathrock]

What happened:
When syft is executed multiple times against the same image with a Java artifact (e.g., jdom 1.1) I receive slightly different purls on each run. This seems somewhat similar to the recent issue #1944 which was fixed in Syft v0.91.0.

What you expected to happen:
I expect the purl generated by syft to be consistent between runs of the same image with the same set of artifacts and versions.

Steps to reproduce the issue:

Build an image recreating the issue:

> echo "FROM maven:3.9.4-eclipse-temurin
RUN mvn dependency:get -Dartifact=org.jdom:jdom:1.1" | docker build -t jdom-purl:latest -

> docker images | grep jdom-purl
jdom-purl                                             latest             a1774615ffa5   21 minutes ago   523MB

Scan the image multiple times with syft, creating multiple sbom files for each run:

> syft -o json=jdom-purl.syft.run1.json jdom-purl:latest
> syft -o json=jdom-purl.syft.run2.json jdom-purl:latest

Validate the purl generated for the jdom artifact in each syft sbom:

> grep purl.*org\.jdom jdom-purl.syft.run*.json
jdom-purl.syft.run1.json:   "purl": "pkg:maven/org.jdom.filter/jdom@1.1",
jdom-purl.syft.run2.json:   "purl": "pkg:maven/org.jdom.input/jdom@1.1",

Note that the purl is showing a different sub-artifact on each run?! I believe the expected purl should be:

• "purl": "pkg:maven/org.jdom/jdom@1.1",

Anything else we need to know?:
This can also result in different vuln results when the sbom is evaluated by grype.

For example if we copy/modify the sbom to have the correct purl: "purl": "pkg:maven/org.jdom/jdom@1.1", we get both the CVE and the GHSA match. With the original purls we do not get the GHSA result (Yes, I understand that the GHSA result maps to the same CVE id).

Example:

> cp jdom-purl.syft.run2.json jdom-purl.syft.edit.json && sed -i 's@jdom\..*\/@jdom\/@' jdom-purl.syft.edit.json
> grep purl.*org\.jdom jdom-purl.syft.*.json
jdom-purl.syft.edit.json:   "purl": "pkg:maven/org.jdom/jdom@1.1",
jdom-purl.syft.run1.json:   "purl": "pkg:maven/org.jdom.filter/jdom@1.1",
jdom-purl.syft.run2.json:   "purl": "pkg:maven/org.jdom.input/jdom@1.1",
>  for sbom in `ls jdom-purl.syft.*.json`; do echo "Scanning sbom: ${sbom}:"; grype -q sbom:${sbom} | grep jdom; done
Scanning sbom: jdom-purl.syft.edit.json:
jdom                           1.1                                     java-archive  GHSA-2363-cqg2-863c  High
jdom                           1.1                                     java-archive  CVE-2021-33813       High
Scanning sbom: jdom-purl.syft.run1.json:
jdom                           1.1                                     java-archive  CVE-2021-33813       High
Scanning sbom: jdom-purl.syft.run2.json:
jdom                           1.1                                     java-archive  CVE-2021-33813       High

Environment:

• Output of syft version:

Application:     syft
Version:         0.91.0
BuildDate:       2023-09-20T19:42:04Z
GitCommit:       b7fa75d7f82a6816d307805ac07e6965c799e938
GitDescription:  v0.91.0
Platform:        linux/amd64
GoVersion:       go1.21.1
Compiler:        gc

• OS (e.g: cat /etc/os-release or similar):

NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.9 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.9:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.9"

[willmurphyscode]

Thanks for the bug report @mathrock! I'm able to reproduce it as well.

Follow @mathrock's steps above, plus generating a ...run3.json and ...run4.json, then comparing with jd shows some PURLs that don't match:

❯ jd jdom-purl.syft.run1.json jdom-purl.syft.run2.json
@ ["artifacts",267,"purl"]
- "pkg:maven/org.apache.xml/xalan@2.5.D1"
+ "pkg:maven/org.apache.xalan/xalan@2.5.D1"
@ ["artifacts",76,"purl"]
- "pkg:maven/org.jdom/jdom@1.1"
+ "pkg:maven/org.jdom.transform/jdom@1.1"
❯ jd jdom-purl.syft.run2.json jdom-purl.syft.run4.json
@ ["artifacts",267,"purl"]
- "pkg:maven/org.apache.xalan/xalan@2.5.D1"
+ "pkg:maven/org.apache.xml/xalan@2.5.D1"
@ ["artifacts",76,"purl"]
- "pkg:maven/org.jdom.transform/jdom@1.1"
+ "pkg:maven/org.jdom/jdom@1.1"

❯ jd jdom-purl.syft.run1.json jdom-purl.syft.run4.json # 1 and 4 are coincidentally the same

❯ jd jdom-purl.syft.run2.json jdom-purl.syft.run3.json
@ ["artifacts",268,"purl"]
- "pkg:maven/org.apache.xerces.impl.Version/xercesImpl@2.6.1"
+ "pkg:maven/org.w3c.dom/xercesImpl@2.6.1"
@ ["artifacts",76,"purl"]
- "pkg:maven/org.jdom.transform/jdom@1.1"
+ "pkg:maven/org.jdom.filter/jdom@1.1"

It looks like which purl gets changed is nondeterministic.

[mathrock]

@willmurphyscode Oooh! I wasn't aware of jd (https://github.com/josephburnett/jd), that looks like a super handy tool. Thanks!

I suspect the bug affects all Java/Maven purl generation, nothing to do with jdom in particular, but that was just how I came across it based on the missing GHSA vuln. Thanks for confirming.