From 9d21552bd683112b24ca217f064cfd37c7a8dffc Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Tue, 29 Aug 2023 10:44:25 -0400 Subject: [PATCH 1/6] Commit java purl generation test as is Future commits can hand fix PURLs made for particular packages, and then the map literal here can be edited. Signed-off-by: Will Murphy --- test/integration/java_purl_test.go | 219 +++++++++++++++++++++++++++++ 1 file changed, 219 insertions(+) create mode 100644 test/integration/java_purl_test.go diff --git a/test/integration/java_purl_test.go b/test/integration/java_purl_test.go new file mode 100644 index 00000000000..e2ca3f70c90 --- /dev/null +++ b/test/integration/java_purl_test.go @@ -0,0 +1,219 @@ +package integration + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/anchore/syft/syft" + "github.com/anchore/syft/syft/pkg" + "github.com/anchore/syft/syft/pkg/cataloger" + "github.com/anchore/syft/syft/sbom" + "github.com/anchore/syft/syft/source" +) + +func TestJavaPURLs(t *testing.T) { + testImage := "anchore/test_images:java-56d52bc" + sbom := getCatalog(t, testImage) + found := make(map[string]string) + for _, p := range sbom.Artifacts.Packages.Sorted() { + if p.Type != pkg.JavaPkg && p.Type != pkg.JenkinsPluginPkg { + continue + } + key := fmt.Sprintf("%s@%s", p.Name, p.Version) + found[key] = p.PURL + } + for key, expectedPURL := range expectedPURLs { + purl := found[key] + assert.Equal(t, expectedPURL, purl, fmt.Sprintf("found wrong or missing PURL for %s want %s, got %s", key, expectedPURL, purl)) + } + for key, foundPURL := range found { + expectedPURL := expectedPURLs[key] + assert.Equal(t, expectedPURL, foundPURL, fmt.Sprintf("found extra purl for %s want %s, got %s", key, expectedPURL, foundPURL)) + } +} + +func getCatalog(t *testing.T, image string) sbom.SBOM { + detection, err := source.Detect(image, source.DefaultDetectConfig()) + require.NoError(t, err) + theSource, err := detection.NewSource(source.DefaultDetectionSourceConfig()) + packages, relationships, distro, error := syft.CatalogPackages(theSource, cataloger.DefaultConfig()) + require.NoError(t, error) + sbom := sbom.SBOM{ + Artifacts: sbom.Artifacts{ + Packages: packages, + LinuxDistribution: distro, + }, + Relationships: relationships, + Source: theSource.Describe(), + } + return sbom +} + +// Constructed by: +// syft anchore/test_images:java-56d52bc -o template -t /tmp/test.templ | grep 'pkg:maven' | sort | uniq >> test/integration/java_purl_test.go +// where the template is: +/* +{{ range .Artifacts}}"{{.Name}}@{{.Version}}":"{{.PURL}}", +{{ end }} +*/ +var expectedPURLs = map[string]string{ + "TwilioNotifier@0.2.1": "pkg:maven/com.twilio.jenkins/TwilioNotifier@0.2.1", + "access-modifier-annotation@1.0": "pkg:maven/org.kohsuke/access-modifier-annotation@1.0", + "acegi-security@1.0.5": "pkg:maven/org.acegisecurity/acegi-security@1.0.5", + "activation@1.1.1-hudson-1": "pkg:maven/org.jvnet.hudson/activation@1.1.1-hudson-1", + "akuma@1.2": "pkg:maven/com.sun.akuma/akuma@1.2", + "animal-sniffer-annotation@1.0": "pkg:maven/org.jvnet/animal-sniffer-annotation@1.0", + "annotation-indexer@1.2": "pkg:maven/org.jvnet.hudson/annotation-indexer@1.2", + "annotations@13.0": "pkg:maven/org.jetbrains/annotations@13.0", + "ant-launcher@1.8.0": "pkg:maven/org.apache.ant/ant-launcher@1.8.0", + "ant@1.8.0": "pkg:maven/org.apache.ant/ant@1.8.0", + "antlr@2.7.6": "pkg:maven/antlr/antlr@2.7.6", + "aopalliance@1.0": "pkg:maven/aopalliance/aopalliance@1.0", + "args4j@2.0.16": "pkg:maven/args4j/args4j@2.0.16", + "asm-commons@2.2.3": "pkg:maven/asm-commons/asm-commons@2.2.3", + "asm-tree@2.2.3": "pkg:maven/asm-tree/asm-tree@2.2.3", + "asm@2.2.3": "pkg:maven/asm/asm@2.2.3", + "avalon-framework@4.1.3": "pkg:maven/avalon-framework/avalon-framework@4.1.3", + "bridge-method-annotation@1.2": "pkg:maven/com.infradna.tool/bridge-method-annotation@1.2", + "classworlds@1.1": "pkg:maven/org.codehaus.classworlds/classworlds@1.1", + "cli@1.390": "pkg:maven/org.jvnet.hudson.main/cli@1.390", + "commons-beanutils@1.8.0": "pkg:maven/commons-beanutils/commons-beanutils@1.8.0", + "commons-codec@1.2": "pkg:maven/org.apache.commons.codec.*/commons-codec@1.2", + "commons-codec@1.4": "pkg:maven/commons-codec/commons-codec@1.4", + "commons-collections@3.2": "pkg:maven/commons-collections/commons-collections@3.2", + "commons-digester@1.7": "pkg:maven/commons-digester/commons-digester@1.7", + "commons-discovery@0.4": "pkg:maven/commons-discovery/commons-discovery@0.4", + "commons-fileupload@1.2.1": "pkg:maven/commons-fileupload/commons-fileupload@1.2.1", + "commons-httpclient@3.1": "pkg:maven/org.apache/commons-httpclient@3.1", + "commons-httpclient@3.1-rc1": "pkg:maven/commons-httpclient/commons-httpclient@3.1-rc1", + "commons-io@1.4": "pkg:maven/commons-io/commons-io@1.4", + "commons-jelly-tags-define@1.0.1-hudson-20071021": "pkg:maven/org.jvnet.hudson/commons-jelly-tags-define@1.0.1-hudson-20071021", + "commons-jelly-tags-fmt@1.0": "pkg:maven/commons-jelly-tags-fmt/commons-jelly-tags-fmt@1.0", + "commons-jelly-tags-xml@1.1": "pkg:maven/commons-jelly-tags-xml/commons-jelly-tags-xml@1.1", + "commons-jelly@1.1-hudson-20100305": "pkg:maven/org.jvnet.hudson/commons-jelly@1.1-hudson-20100305", + "commons-jexl@1.1-hudson-20090508": "pkg:maven/org.jvnet.hudson/commons-jexl@1.1-hudson-20090508", + "commons-lang@2.4": "pkg:maven/commons-lang/commons-lang@2.4", + "commons-lang@2.5": "pkg:maven/commons-lang/commons-lang@2.5", + "commons-logging@1.0.4": "pkg:maven/org.apache.commons.logging/commons-logging@1.0.4", + "commons-logging@1.1": "pkg:maven/org.apache.commons.logging/commons-logging@1.1", + "commons-logging@1.1.1": "pkg:maven/commons-logging/commons-logging@1.1.1", + "commons-pool@1.3": "pkg:maven/commons-pool/commons-pool@1.3", + "crypto-util@1.0": "pkg:maven/org.jvnet.hudson/crypto-util@1.0", + "cvs@1.2": "pkg:maven/org.jvnet.hudson.plugins/cvs@1.2", + "dom4j@1.6.1-hudson-3": "pkg:maven/dom4j/dom4j@1.6.1-hudson-3", + "doxia-sink-api@1.0-alpha-10": "pkg:maven/org.apache.maven.doxia/doxia-sink-api@1.0-alpha-10", + "easymock@2.4": "pkg:maven/org.easymock/easymock@2.4", + "embedded_su4j@1.1": "pkg:maven/com.sun.solaris/embedded_su4j@1.1", + "example-java-app-gradle@0.1.0": "pkg:maven/example-java-app-gradle/example-java-app-gradle@0.1.0", + "ezmorph@1.0.3": "pkg:maven/net.sf.ezmorph/ezmorph@1.0.3", + "graph-layouter@1.0": "pkg:maven/org.kohsuke/graph-layouter@1.0", + "groovy-all@1.6.0": "pkg:maven/groovy-all/groovy-all@1.6.0", + "gson@2.8.6": "pkg:maven/com.google.code.gson/gson@2.8.6", + "guava@r06": "pkg:maven/com.google.guava/guava@r06", + "httpclient@4.1.1": "pkg:maven/org.apache.httpcomponents/httpclient@4.1.1", + "httpcore@4.1": "pkg:maven/org.apache.httpcomponents/httpcore@4.1", + "hudson-cli@": "pkg:maven/hudson-cli/hudson-cli", + "hudson-core@1.390": "pkg:maven/org.jvnet.hudson.main/hudson-core@1.390", + "hudson-war@1.390": "pkg:maven/org.jvnet.hudson.main/hudson-war@1.390", + "hudson@1.390": "pkg:maven/hudson/hudson@1.390", + "j-interop@2.0.5": "pkg:maven/j-interop/j-interop@2.0.5", + "j-interopdeps@2.0.5": "pkg:maven/j-interopdeps/j-interopdeps@2.0.5", + "jaxen@1.1-beta-11": "pkg:maven/org.jaxen/jaxen@1.1-beta-11", + "jcaptcha-all@1.0-RC6": "pkg:maven/jcaptcha-all/jcaptcha-all@1.0-RC6", + "jcifs@1.3.14-kohsuke-1": "pkg:maven/org.samba.jcifs/jcifs@1.3.14-kohsuke-1", + "jcommon@1.0.12": "pkg:maven/jfree/jcommon@1.0.12", + "jfreechart@1.0.9": "pkg:maven/jfreechart/jfreechart@1.0.9", + "jinterop-proxy@1.1": "pkg:maven/org.kohsuke.jinterop/jinterop-proxy@1.1", + "jinterop-wmi@1.0": "pkg:maven/org.jvnet.hudson/jinterop-wmi@1.0", + "jline@0.9.94": "pkg:maven/jline/jline@0.9.94", + "jmdns@3.1.6-hudson-2": "pkg:maven/com.strangeberry.jmdns.tools.Main/jmdns@3.1.6-hudson-2", + "jna-posix@1.0.3": "pkg:maven/org.jruby.ext.posix/jna-posix@1.0.3", + "jna@3.2.4": "pkg:maven/com.sun.jna/jna@3.2.4", + "jsch@0.1.27": "pkg:maven/jsch/jsch@0.1.27", + "json-lib@2.1-rev6": "pkg:maven/json-lib/json-lib@2.1-rev6", + "json@20200518": "pkg:maven/org.json/json@20200518", + "jstl@1.1.0": "pkg:maven/com.sun/jstl@1.1.0", + "jtidy@4aug2000r7-dev-hudson-1": "pkg:maven/jtidy/jtidy@4aug2000r7-dev-hudson-1", + "junit@4.13.1": "pkg:maven/junit/junit@4.13.1", + "kotlin-stdlib-common@1.3.70": "pkg:maven/kotlin-stdlib-common/kotlin-stdlib-common@1.3.70", + "kotlin-stdlib@1.3.70": "pkg:maven/kotlin-stdlib/kotlin-stdlib@1.3.70", + "libpam4j@1.2": "pkg:maven/org.jvnet.libpam4j/libpam4j@1.2", + "libzfs@0.5": "pkg:maven/org.jvnet.libzfs/libzfs@0.5", + "localizer@1.10": "pkg:maven/org.jvnet.localizer/localizer@1.10", + "log4j@1.2.9": "pkg:maven/log4j/log4j@1.2.9", + "logkit@1.0.1": "pkg:maven/logkit/logkit@1.0.1", + "mail@1.4": "pkg:maven/com.sun/mail@1.4", + "maven-agent@1.390": "pkg:maven/org.jvnet.hudson.main/maven-agent@1.390", + "maven-artifact-manager@2.0.9": "pkg:maven/org.apache.maven/maven-artifact-manager@2.0.9", + "maven-artifact@2.0.9": "pkg:maven/org.apache.maven/maven-artifact@2.0.9", + "maven-core@2.0.9": "pkg:maven/org.apache.maven/maven-core@2.0.9", + "maven-embedder@2.0.4": "pkg:maven/org.apache.maven/maven-embedder@2.0.4", + "maven-embedder@2.0.4-hudson-1": "pkg:maven/org.jvnet.hudson/maven-embedder@2.0.4-hudson-1", + "maven-error-diagnostics@2.0.9": "pkg:maven/org.apache.maven/maven-error-diagnostics@2.0.9", + "maven-interceptor@1.390": "pkg:maven/org.jvnet.hudson.main/maven-interceptor@1.390", + "maven-model@2.0.9": "pkg:maven/org.apache.maven/maven-model@2.0.9", + "maven-monitor@2.0.9": "pkg:maven/org.apache.maven/maven-monitor@2.0.9", + "maven-plugin-api@2.0.9": "pkg:maven/org.apache.maven/maven-plugin-api@2.0.9", + "maven-plugin-descriptor@2.0.9": "pkg:maven/org.apache.maven/maven-plugin-descriptor@2.0.9", + "maven-plugin-parameter-documenter@2.0.9": "pkg:maven/org.apache.maven/maven-plugin-parameter-documenter@2.0.9", + "maven-plugin-registry@2.0.9": "pkg:maven/org.apache.maven/maven-plugin-registry@2.0.9", + "maven-plugin@1.390": "pkg:maven/org.jvnet.hudson.main/maven-plugin@1.390", + "maven-profile@2.0.9": "pkg:maven/org.apache.maven/maven-profile@2.0.9", + "maven-project@2.0.9": "pkg:maven/org.apache.maven/maven-project@2.0.9", + "maven-reporting-api@2.0.9": "pkg:maven/org.apache.maven.reporting/maven-reporting-api@2.0.9", + "maven-repository-metadata@2.0.9": "pkg:maven/org.apache.maven/maven-repository-metadata@2.0.9", + "maven-settings@2.0.9": "pkg:maven/org.apache.maven/maven-settings@2.0.9", + "maven2.1-interceptor@1.2": "pkg:maven/org.jvnet.hudson/maven2.1-interceptor@1.2", + "memory-monitor@1.3": "pkg:maven/org.jvnet.hudson/memory-monitor@1.3", + "nomad@0.7.4": "pkg:maven/org.jenkins-ci.plugins/nomad@0.7.4", + "okhttp@4.5.0": "pkg:maven/okhttp/okhttp@4.5.0", + "okio@2.5.0": "pkg:maven/okio/okio@2.5.0", + "oro@2.0.8": "pkg:maven/org.apache.oro/oro@2.0.8", + "plexus-container-default@1.0-alpha-9-stable-1": "pkg:maven/org.codehaus.plexus/plexus-container-default@1.0-alpha-9-stable-1", + "plexus-interactivity-api@1.0-alpha-4": "pkg:maven/org.codehaus.plexus/plexus-interactivity-api@1.0-alpha-4", + "plexus-utils@1.5.1": "pkg:maven/org.codehaus.plexus/plexus-utils@1.5.1", + "remoting@1.390": "pkg:maven/org.jvnet.hudson.main/remoting@1.390", + "robust-http-client@1.1": "pkg:maven/org.jvnet.robust-http-client/robust-http-client@1.1", + "sdk@3.0": "pkg:maven/sdk/sdk@3.0", + "sezpoz@1.7": "pkg:maven/net.java.sezpoz/sezpoz@1.7", + "slave@": "pkg:maven/slave/slave", + "slide-webdavlib@2.1": "pkg:maven/slide-webdavlib/slide-webdavlib@2.1", + "spring-aop@2.5": "pkg:maven/org.springframework.bundle.spring.aop/spring-aop@2.5", + "spring-beans@2.5": "pkg:maven/org.springframework/spring-beans@2.5", + "spring-context@2.5": "pkg:maven/org.springframework.bundle.spring.context/spring-context@2.5", + "spring-core@2.5": "pkg:maven/org.springframework/spring-core@2.5", + "spring-dao@1.2.9": "pkg:maven/spring-dao/spring-dao@1.2.9", + "spring-jdbc@1.2.9": "pkg:maven/spring-jdbc/spring-jdbc@1.2.9", + "spring-web@2.5": "pkg:maven/org.springframework/spring-web@2.5", + "ssh-slaves@0.14": "pkg:maven/org.jvnet.hudson.plugins/ssh-slaves@0.14", + "stapler-adjunct-timeline@1.2": "pkg:maven/org.kohsuke.stapler/stapler-adjunct-timeline@1.2", + "stapler-jelly@1.155": "pkg:maven/org.kohsuke.stapler/stapler-jelly@1.155", + "stapler@1.155": "pkg:maven/org.kohsuke.stapler/stapler@1.155", + "stax-api@1.0.1": "pkg:maven/stax-api/stax-api@1.0.1", + "subversion@1.20": "pkg:maven/org.jvnet.hudson.plugins/subversion@1.20", + "svnkit@1.3.4-hudson-2": "pkg:maven/svnkit/svnkit@1.3.4-hudson-2", + "task-reactor@1.2": "pkg:maven/org.jvnet.hudson/task-reactor@1.2", + "tiger-types@1.3": "pkg:maven/org.jvnet/tiger-types@1.3", + "trilead-putty-extension@1.0": "pkg:maven/org.kohsuke/trilead-putty-extension@1.0", + "trilead-ssh2@build212-hudson-5": "pkg:maven/org.jvnet.hudson/trilead-ssh2@build212-hudson-5", + "txw2@20070624": "pkg:maven/txw2/txw2@20070624", + "wagon-file@1.0-beta-2": "pkg:maven/org.apache.maven.wagon/wagon-file@1.0-beta-2", + "wagon-http-lightweight@1.0-beta-2": "pkg:maven/org.apache.maven.wagon/wagon-http-lightweight@1.0-beta-2", + "wagon-http-shared@1.0-beta-2": "pkg:maven/org.apache.maven.wagon/wagon-http-shared@1.0-beta-2", + "wagon-provider-api@1.0-beta-2": "pkg:maven/org.apache.maven.wagon/wagon-provider-api@1.0-beta-2", + "wagon-ssh-common@1.0-beta-2": "pkg:maven/org.apache.maven.wagon/wagon-ssh-common@1.0-beta-2", + "wagon-ssh-external@1.0-beta-2": "pkg:maven/org.apache.maven.wagon/wagon-ssh-external@1.0-beta-2", + "wagon-ssh@1.0-beta-2": "pkg:maven/org.apache.maven.wagon/wagon-ssh@1.0-beta-2", + "wagon-webdav@1.0-beta-2-hudson-1": "pkg:maven/org.jvnet.hudson/wagon-webdav@1.0-beta-2-hudson-1", + "windows-remote-command@1.0": "pkg:maven/org.jvnet.hudson/windows-remote-command@1.0", + "winp@1.14": "pkg:maven/org.jvnet.winp/winp@1.14", + "winstone@0.9.10-hudson-24": "pkg:maven/org.jvnet.hudson.winstone/winstone@0.9.10-hudson-24", + "wstx-asl@3.2.7": "pkg:maven/wstx-asl/wstx-asl@3.2.7", + "xml-im-exporter@1.1": "pkg:maven/xml-im-exporter/xml-im-exporter@1.1", + "xpp3@1.1.4c": "pkg:maven/xpp3/xpp3@1.1.4c", + "xpp3_min@1.1.4c": "pkg:maven/xpp3_min/xpp3_min@1.1.4c", + "xstream@1.3.1-hudson-8": "pkg:maven/org.jvnet.hudson/xstream@1.3.1-hudson-8", +} From e056368373ee0a054ee43e2ff4d4f109777b03cd Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Tue, 29 Aug 2023 11:55:34 -0400 Subject: [PATCH 2/6] switch to admittedly hacky test fixture Signed-off-by: Will Murphy --- test/integration/java_purl_test.go | 27 ++----------------- .../image-test-java-purls/Dockerfile | 1 + 2 files changed, 3 insertions(+), 25 deletions(-) create mode 100644 test/integration/test-fixtures/image-test-java-purls/Dockerfile diff --git a/test/integration/java_purl_test.go b/test/integration/java_purl_test.go index e2ca3f70c90..6de9e6b28d4 100644 --- a/test/integration/java_purl_test.go +++ b/test/integration/java_purl_test.go @@ -4,19 +4,13 @@ import ( "fmt" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/anchore/syft/syft" "github.com/anchore/syft/syft/pkg" - "github.com/anchore/syft/syft/pkg/cataloger" - "github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/source" + "github.com/stretchr/testify/assert" ) func TestJavaPURLs(t *testing.T) { - testImage := "anchore/test_images:java-56d52bc" - sbom := getCatalog(t, testImage) + sbom, _ := catalogFixtureImage(t, "image-test-java-purls", source.SquashedScope, nil) found := make(map[string]string) for _, p := range sbom.Artifacts.Packages.Sorted() { if p.Type != pkg.JavaPkg && p.Type != pkg.JenkinsPluginPkg { @@ -35,23 +29,6 @@ func TestJavaPURLs(t *testing.T) { } } -func getCatalog(t *testing.T, image string) sbom.SBOM { - detection, err := source.Detect(image, source.DefaultDetectConfig()) - require.NoError(t, err) - theSource, err := detection.NewSource(source.DefaultDetectionSourceConfig()) - packages, relationships, distro, error := syft.CatalogPackages(theSource, cataloger.DefaultConfig()) - require.NoError(t, error) - sbom := sbom.SBOM{ - Artifacts: sbom.Artifacts{ - Packages: packages, - LinuxDistribution: distro, - }, - Relationships: relationships, - Source: theSource.Describe(), - } - return sbom -} - // Constructed by: // syft anchore/test_images:java-56d52bc -o template -t /tmp/test.templ | grep 'pkg:maven' | sort | uniq >> test/integration/java_purl_test.go // where the template is: diff --git a/test/integration/test-fixtures/image-test-java-purls/Dockerfile b/test/integration/test-fixtures/image-test-java-purls/Dockerfile new file mode 100644 index 00000000000..76caa0ca0d1 --- /dev/null +++ b/test/integration/test-fixtures/image-test-java-purls/Dockerfile @@ -0,0 +1 @@ +FROM anchore/test_images:java-56d52bc From 8dd122775556b54d3db2971b52a113ce17403716 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Tue, 29 Aug 2023 11:58:47 -0400 Subject: [PATCH 3/6] add failing cases from weston Signed-off-by: Will Murphy --- test/integration/java_purl_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/java_purl_test.go b/test/integration/java_purl_test.go index 6de9e6b28d4..936a0c54a20 100644 --- a/test/integration/java_purl_test.go +++ b/test/integration/java_purl_test.go @@ -58,7 +58,7 @@ var expectedPURLs = map[string]string{ "classworlds@1.1": "pkg:maven/org.codehaus.classworlds/classworlds@1.1", "cli@1.390": "pkg:maven/org.jvnet.hudson.main/cli@1.390", "commons-beanutils@1.8.0": "pkg:maven/commons-beanutils/commons-beanutils@1.8.0", - "commons-codec@1.2": "pkg:maven/org.apache.commons.codec.*/commons-codec@1.2", + "commons-codec@1.2": "pkg:maven/commons-codec/commons-codec@1.2", "commons-codec@1.4": "pkg:maven/commons-codec/commons-codec@1.4", "commons-collections@3.2": "pkg:maven/commons-collections/commons-collections@3.2", "commons-digester@1.7": "pkg:maven/commons-digester/commons-digester@1.7", @@ -146,8 +146,8 @@ var expectedPURLs = map[string]string{ "maven2.1-interceptor@1.2": "pkg:maven/org.jvnet.hudson/maven2.1-interceptor@1.2", "memory-monitor@1.3": "pkg:maven/org.jvnet.hudson/memory-monitor@1.3", "nomad@0.7.4": "pkg:maven/org.jenkins-ci.plugins/nomad@0.7.4", - "okhttp@4.5.0": "pkg:maven/okhttp/okhttp@4.5.0", - "okio@2.5.0": "pkg:maven/okio/okio@2.5.0", + "okhttp@4.5.0": "pkg:maven/com.squareup.okhttp3/okhttp@4.5.0", + "okio@2.5.0": "pkg:maven/com.squareup.okio/okio@2.5.0", "oro@2.0.8": "pkg:maven/org.apache.oro/oro@2.0.8", "plexus-container-default@1.0-alpha-9-stable-1": "pkg:maven/org.codehaus.plexus/plexus-container-default@1.0-alpha-9-stable-1", "plexus-interactivity-api@1.0-alpha-4": "pkg:maven/org.codehaus.plexus/plexus-interactivity-api@1.0-alpha-4", From 06de2a125c451671a954d49f078f8d5bbd6453f4 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Tue, 29 Aug 2023 13:07:28 -0400 Subject: [PATCH 4/6] Fix some of the bad group IDs. Signed-off-by: Will Murphy --- syft/pkg/cataloger/common/cpe/java_groupid_map.go | 3 +++ test/integration/java_purl_test.go | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/syft/pkg/cataloger/common/cpe/java_groupid_map.go b/syft/pkg/cataloger/common/cpe/java_groupid_map.go index 5205c81e9c3..ece0b004bde 100644 --- a/syft/pkg/cataloger/common/cpe/java_groupid_map.go +++ b/syft/pkg/cataloger/common/cpe/java_groupid_map.go @@ -36,6 +36,9 @@ var DefaultArtifactIDToGroupID = map[string]string{ "ant-trax": "org.apache.ant", "ant-weblogic": "org.apache.ant", "ant-xz": "org.apache.ant", + "commons-codec": "commons-codec", + "okhttp": "com.squareup.okhttp3", + "okio": "com.squareup.okio", "spring": "org.springframework", "spring-amqp": "org.springframework.amqp", "spring-batch-core": "org.springframework.batch", diff --git a/test/integration/java_purl_test.go b/test/integration/java_purl_test.go index 936a0c54a20..e8148652dbe 100644 --- a/test/integration/java_purl_test.go +++ b/test/integration/java_purl_test.go @@ -4,9 +4,10 @@ import ( "fmt" "testing" + "github.com/stretchr/testify/assert" + "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/source" - "github.com/stretchr/testify/assert" ) func TestJavaPURLs(t *testing.T) { @@ -36,6 +37,7 @@ func TestJavaPURLs(t *testing.T) { {{ range .Artifacts}}"{{.Name}}@{{.Version}}":"{{.PURL}}", {{ end }} */ +// The map was then hand-edited for correctness by comparing to Maven Central. var expectedPURLs = map[string]string{ "TwilioNotifier@0.2.1": "pkg:maven/com.twilio.jenkins/TwilioNotifier@0.2.1", "access-modifier-annotation@1.0": "pkg:maven/org.kohsuke/access-modifier-annotation@1.0", From cb76675a72b649d3fecd48e2cfbb7b96a7453900 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Thu, 31 Aug 2023 13:16:08 -0400 Subject: [PATCH 5/6] remove spurious hudson purl Signed-off-by: Will Murphy --- test/integration/java_purl_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/test/integration/java_purl_test.go b/test/integration/java_purl_test.go index e8148652dbe..06c54d66d2d 100644 --- a/test/integration/java_purl_test.go +++ b/test/integration/java_purl_test.go @@ -97,7 +97,6 @@ var expectedPURLs = map[string]string{ "hudson-cli@": "pkg:maven/hudson-cli/hudson-cli", "hudson-core@1.390": "pkg:maven/org.jvnet.hudson.main/hudson-core@1.390", "hudson-war@1.390": "pkg:maven/org.jvnet.hudson.main/hudson-war@1.390", - "hudson@1.390": "pkg:maven/hudson/hudson@1.390", "j-interop@2.0.5": "pkg:maven/j-interop/j-interop@2.0.5", "j-interopdeps@2.0.5": "pkg:maven/j-interopdeps/j-interopdeps@2.0.5", "jaxen@1.1-beta-11": "pkg:maven/org.jaxen/jaxen@1.1-beta-11", From 86e69410530229437ae3d2490620958eabd0f3a0 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Thu, 31 Aug 2023 13:21:45 -0400 Subject: [PATCH 6/6] pin test image to manifest Signed-off-by: Will Murphy --- test/integration/test-fixtures/image-test-java-purls/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/test-fixtures/image-test-java-purls/Dockerfile b/test/integration/test-fixtures/image-test-java-purls/Dockerfile index 76caa0ca0d1..05545a7cec8 100644 --- a/test/integration/test-fixtures/image-test-java-purls/Dockerfile +++ b/test/integration/test-fixtures/image-test-java-purls/Dockerfile @@ -1 +1 @@ -FROM anchore/test_images:java-56d52bc +FROM anchore/test_images@sha256:10008791acbc5866de04108746a02a0c4029ce3a4400a9b3dad45d7f2245f9da