Use Java package names to determine known groupIDs

syft/pkg/cataloger/common/cpe/java.go

@@ -41,6 +41,39 @@ var (
 	}
 )
 
+var defaultArtifactIDToGroupID = map[string]string{
+	"spring":                         "org.springframework",
+	"spring-amqp":                    "org.springframework.amqp",
+	"spring-batch-core":              "org.springframework.batch",
+	"spring-beans":                   "org.springframework",
+	"spring-boot":                    "org.springframework.boot",
+	"spring-boot-starter-web":        "org.springframework.boot",
+	"spring-boot-starter-webflux":    "org.springframework.boot",
+	"spring-cloud-function-context":  "org.springframework.cloud",
+	"spring-cloud-function-parent":   "org.springframework.cloud",
+	"spring-cloud-gateway":           "org.springframework.cloud",
+	"spring-cloud-openfeign-core":    "org.springframework.cloud",
+	"spring-cloud-task-dependencies": "org.springframework.cloud",
+	"spring-core":                    "org.springframework",
+	"spring-data-jpa":                "org.springframework.data",
+	"spring-data-mongodb":            "org.springframework.data",
+	"spring-data-rest-core":          "org.springframework.data",
+	"spring-expression":              "org.springframework",
+	"spring-integration-zip":         "org.springframework.integration",
+	"spring-oxm":                     "org.springframework",
+	"spring-security-core":           "org.springframework.security",
+	"spring-security-config":         "org.springframework.security",
+	"spring-security-oauth":          "org.springframework.security.oauth",
+	"spring-security-oauth-parent":   "org.springframework.security.oauth",
+	"spring-security-oauth2-client":  "org.springframework.security",
+	"spring-session-core":            "org.springframework.session",
+	"spring-vault-core":              "org.springframework.vault",
+	"spring-web":                     "org.springframework",
+	"spring-webflow":                 "org.springframework.webflow",
+	"spring-webflux":                 "org.springframework",
+	"spring-webmvc":                  "org.springframework",
+}
+
 func candidateProductsForJava(p pkg.Package) []string {
 	return productsFromArtifactAndGroupIDs(artifactIDFromJavaPackage(p), GroupIDsFromJavaPackage(p))
 }
@@ -181,13 +214,13 @@ func GroupIDsFromJavaPackage(p pkg.Package) (groupIDs []string) {
 		return nil
 	}
 
-	return GroupIDsFromJavaMetadata(metadata)
+	return GroupIDsFromJavaMetadata(p.Name, metadata)
 }
 
-func GroupIDsFromJavaMetadata(metadata pkg.JavaMetadata) (groupIDs []string) {
+func GroupIDsFromJavaMetadata(pkgName string, metadata pkg.JavaMetadata) (groupIDs []string) {
 	groupIDs = append(groupIDs, groupIDsFromPomProperties(metadata.PomProperties)...)
 	groupIDs = append(groupIDs, groupIDsFromPomProject(metadata.PomProject)...)
-	groupIDs = append(groupIDs, groupIDsFromJavaManifest(metadata.Manifest)...)
+	groupIDs = append(groupIDs, groupIDsFromJavaManifest(pkgName, metadata.Manifest)...)
 
 	return groupIDs
 }
@@ -241,11 +274,15 @@ func addGroupIDsFromGroupIDsAndArtifactID(groupID, artifactID string) (groupIDs
 	return groupIDs
 }
 
-func groupIDsFromJavaManifest(manifest *pkg.JavaManifest) []string {
+func groupIDsFromJavaManifest(pkgName string, manifest *pkg.JavaManifest) []string {
 	if manifest == nil {
 		return nil
 	}
 
+	if groupID, ok := defaultArtifactIDToGroupID[pkgName]; ok {
+		return []string{groupID}
+	}
+
 	// try the common manifest fields first for a set of candidates
 	groupIDs := getManifestFieldGroupIDs(manifest, primaryJavaManifestGroupIDFields)
 

syft/pkg/cataloger/common/cpe/java_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/anchore/syft/syft/pkg"
 )
@@ -427,3 +428,38 @@ func Test_vendorsFromJavaManifestNames(t *testing.T) {
 		})
 	}
 }
+
+func Test_groupIDsFromJavaManifest(t *testing.T) {
+	tests := []struct {
+		name     string
+		manifest pkg.JavaManifest
+		expected []string
+	}{
+		{
+			name:     "spring-security-core",
+			manifest: pkg.JavaManifest{},
+			expected: []string{"org.springframework.security"},
+		},
+		{
+			name:     "spring-web",
+			manifest: pkg.JavaManifest{},
+			expected: []string{"org.springframework"},
+		},
+		{
+			name: "spring-foo",
+			manifest: pkg.JavaManifest{
+				Main: map[string]string{
+					"Implementation-Vendor": "org.foo",
+				},
+			},
+			expected: []string{"org.foo"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := groupIDsFromJavaManifest(test.name, &test.manifest)
+			require.Equal(t, test.expected, got)
+		})
+	}
+}

syft/pkg/cataloger/java/package_url.go

@@ -9,7 +9,7 @@ import (
 // PackageURL returns the PURL for the specific java package (see https://github.com/package-url/purl-spec)
 func packageURL(name, version string, metadata pkg.JavaMetadata) string {
 	var groupID = name
-	groupIDs := cpe.GroupIDsFromJavaMetadata(metadata)
+	groupIDs := cpe.GroupIDsFromJavaMetadata(name, metadata)
 	if len(groupIDs) > 0 {
 		groupID = groupIDs[0]
 	}