Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Java package names to determine known groupIDs #2032

Merged
merged 4 commits into from
Aug 17, 2023
Merged

Use Java package names to determine known groupIDs #2032

merged 4 commits into from
Aug 17, 2023

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Aug 16, 2023
edited

This PR adds a small curated list of known Java package names to groupIds, in order to properly generate PURLs for these archives, which do not contain Maven information.

With this change, Grype finds multiple GHSA entries against spring archives in one of the quality gate images, whereas before there were no GHSA matches:

NAME                                  INSTALLED                FIXED-IN                    TYPE            VULNERABILITY        SEVERITY 
spring-beans                          5.2.12.RELEASE           5.2.20.RELEASE              java-archive    GHSA-36p3-wjmg-h94x  Critical  
spring-core                           5.2.12.RELEASE           5.2.24.RELEASE              java-archive    GHSA-wxqc-pxw9-g2p8  High      
spring-core                           5.2.12.RELEASE           5.2.22.RELEASE              java-archive    GHSA-hh26-6xwr-ggv7  High      
spring-core                           5.2.12.RELEASE           5.2.21                      java-archive    GHSA-g5mm-vmx4-3rg7  High      
spring-core                           5.2.12.RELEASE           5.2.22.RELEASE              java-archive    GHSA-rqph-vqwm-22vc  Medium    
spring-core                           5.2.12.RELEASE           5.2.18                      java-archive    GHSA-rfmp-97jj-h8m6  Medium    
spring-core                           5.2.12.RELEASE           5.2.19                      java-archive    GHSA-6gf2-pvqw-37ph  Medium    
spring-core                           5.2.12.RELEASE           5.2.23.RELEASE              java-archive    GHSA-564r-hj7v-mcr5  Medium    
spring-expression                     5.2.12.RELEASE           5.2.20.RELEASE              java-archive    GHSA-558x-2xjg-6232  Medium    
spring-security-core                  5.4.4                    5.5.7                       java-archive    GHSA-hh32-7344-cg2f  Critical  
spring-security-core                  5.4.4                    5.4.7                       java-archive    GHSA-w9jg-gvgr-354m  High      
spring-security-core                  5.4.4                    5.5.7                       java-archive    GHSA-wx54-3278-m5g4  Medium    
spring-web                            5.2.12.RELEASE           6.0.0                       java-archive    GHSA-4wrc-f8pq-fpqp  Critical  
spring-web                            5.2.12.RELEASE           5.2.15                      java-archive    GHSA-gfwj-fwqj-fp3v  High

@kzantow
feat: use java package names to determine known groupids
e0e33b8 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@github-actions
Copy link

github-actions bot commented Aug 16, 2023
edited

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
goos: linux%0Agoarch: amd64%0Apkg: github.com/anchore/syft/test/integration%0Acpu: Intel(R) Xeon(R) Platinum 8370C CPU @ 2.80GHz%0A                                                              │ ./.tmp/benchmark-db92036.txt │%0A                                                              │            sec/op            │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       12.15m ±  2%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        678.7µ ±  1%25%0AImagePackageCatalogers/binary-cataloger-2                                       207.5µ ±  0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       572.9µ ±  1%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   20.93µ ±  1%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             93.95µ ±  1%25%0AImagePackageCatalogers/java-cataloger-2                                         13.51m ±  1%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         92.27µ ± 19%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           351.7µ ±  1%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    256.8µ ±  2%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       746.5µ ±  1%25%0AImagePackageCatalogers/portage-cataloger-2                                      423.9µ ±  1%25%0AImagePackageCatalogers/python-package-cataloger-2                               3.221m ±  1%25%0AImagePackageCatalogers/r-package-cataloger-2                                    181.5µ ±  1%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       485.8µ ±  1%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 851.1µ ±  1%25%0AImagePackageCatalogers/sbom-cataloger-2                                         117.7µ ±  0%25%0Ageomean                                                                         461.5µ%0A%0A                                                              │ ./.tmp/benchmark-db92036.txt │%0A                                                              │             B/op             │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       5.143Mi ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        205.1Ki ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                       30.54Ki ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       172.8Ki ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   3.697Ki ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             9.906Ki ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                         2.825Mi ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         8.594Ki ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           94.35Ki ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    49.33Ki ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       186.3Ki ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                      120.2Ki ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                               1.004Mi ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                    53.29Ki ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       181.5Ki ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 144.2Ki ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                         14.21Ki ± 0%25%0Ageomean                                                                         100.6Ki%0A%0A                                                              │ ./.tmp/benchmark-db92036.txt │%0A                                                              │          allocs/op           │%0AImagePackageCatalogers/alpmdb-cataloger-2                                        88.14k ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                         4.190k ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                         848.0 ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                        3.145k ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                     132.0 ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                               281.0 ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                          40.63k ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                           228.0 ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                            1.342k ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                      898.0 ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                        4.079k ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                       2.272k ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                                16.44k ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                      929.0 ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                        3.992k ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                  2.447k ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                           394.0 ± 0%25%0Ageomean                                                                          2.063k

@kzantow kzantow added enhancement New feature or request bug Something isn't working and removed bug Something isn't working labels Aug 16, 2023
This was referenced Aug 17, 2023
Closed
Merged
@kzantow
Merge remote-tracking branch 'origin/main' into feat/spring-groupid
5ed48bc
@kzantow
chore: PR feedback
4411273 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: add apache ant groupIDs
86c096e 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
westonsteimel
westonsteimel approved these changes Aug 17, 2023
View reviewed changes
Copy link
Contributor

@westonsteimel westonsteimel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me as an initial step to handle ones we know for certain are incorrect and popular. Thanks @kzantow!

@kzantow kzantow merged commit 4762ba0 into main Aug 17, 2023
9 checks passed
@kzantow kzantow deleted the feat/spring-groupid branch August 17, 2023 16:55
@kzantow kzantow added bug Something isn't working and removed enhancement New feature or request labels Aug 17, 2023
@kzantow kzantow changed the title feat: use java package names to determine known groupids Use Java package names to determine known groupIDs Aug 17, 2023
This was referenced Aug 18, 2023
Open
Closed
Closed
Closed
This was referenced Aug 28, 2023
Closed
Closed
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@kzantow
feat: use java package names to determine known groupids (anchore#2032)
19e6b5e 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs left review comments

@westonsteimel westonsteimel westonsteimel approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kzantow @westonsteimel @spiffcs