Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: deterministic java purls #2170

Merged
merged 2 commits into from
Sep 25, 2023
Merged

fix: deterministic java purls #2170

merged 2 commits into from
Sep 25, 2023

Conversation

willmurphyscode
Copy link
Contributor

Previously, iterating over the map to build up a string slice of groupID candidates resulted in non-deterministic selection of the groupID. Fix that by sorting candidates, and update some integration tests that were only passing because of the issue.

There might be more discussion needed here:

  1. The comment at

    syft/syft/pkg/cataloger/java/package_url.go

    Lines 67 to 69 in 8314c0d

    groupIDS := cpe.GetManifestFieldGroupIDs(manifest, cpe.PrimaryJavaManifestGroupIDFields)
    // assumes that primaryJavaManifestNameFields are ordered by priority
    if len(groupIDS) != 0 {
    seems like it was never true, since the array order coming back from GetManifestFieldGroupIDs was non-deterministic due to iterating maps
  2. There's no reason to suppose that the lexicographically first group ID is a better choice than whatever group ID happened to win the map iteration.

Fixes #2169, but open to discussion about whether this is the right approach.

@willmurphyscode
fix: make candidate group ID list deterministic
1cd81de 
Otherwise, which PURL is generated depends on the order of key iteration
in maps.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
@willmurphyscode
chore: fix purl integ test
45f04e7 
Apparently this test was only passing because of the map iteration
fixed in the previous commit.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
@willmurphyscode willmurphyscode merged commit e34adea into main Sep 25, 2023
9 checks passed
@willmurphyscode willmurphyscode deleted the fix/deterministic-java-purls branch September 25, 2023 13:28
@p-linnane p-linnane mentioned this pull request Sep 27, 2023
Merged
@willmurphyscode willmurphyscode mentioned this pull request Dec 7, 2023
Closed
3 tasks
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@willmurphyscode
fix: deterministic java purls (anchore#2170)
b56d9ef 
Previously, which PURL was generated depended on the order of key iteration
in maps. Also update an integ test that was apparently only passing because
of the previous issue.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generated purls are different between runs of syft against the same image and artifact
2 participants
@willmurphyscode @spiffcs