Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account for maven bundle plugin and fix filename matching #2220

Merged
merged 4 commits into from Oct 19, 2023
Merged

Account for maven bundle plugin and fix filename matching #2220

merged 4 commits into from Oct 19, 2023

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Oct 11, 2023
edited

This PR makes a few changes to the java archive cataloger:

  • takes into account the maven bundle plugin, which is common tooling that we can key off of patterns from the Bundle-SymbolicName field to get a group ID and artifact ID. Then we can extract the artifact ID as the package name.
  • If a filename looks like a group ID + artifact ID, attempt to parse it as such and extract the artifact ID as the package name.
  • When attempting to find if a pom.xml matches with an existing package, allow for the artifact ID to be a suffix of the filename (not just the filename as a prefix of the artifact ID as it is today)

Blocked until the following are verified:

  • CPE generation logic can additionally consider the new sources of information when crafting a vendor (I think this is done, but need to double check)
  • purl generation is using the right group ID found (again, I think this is done, but need to check)
  • incorporate locally into grype and run against the quality gate -- are we better or worse off on the whole? Incorporate Syft java detection improvements grype#1555

Closes #2217
Fixes #2130

@wagoodman
account for maven bundle plugin and fix filename matching
0b17443 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
add in-repo jar tests based on metadata to cover #2130
237cffc 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman force-pushed the gid-aid-for-maven-bundle-plugin branch from f2920df to 237cffc Compare October 12, 2023 14:25
wagoodman added a commit to anchore/grype that referenced this pull request Oct 12, 2023
@wagoodman
incorporate anchore/syft#2220
f2086c1 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman mentioned this pull request Oct 12, 2023
Merged
@wagoodman wagoodman marked this pull request as ready for review October 12, 2023 14:45
@wagoodman wagoodman requested a review from a team October 12, 2023 14:46
@joshbressers joshbressers mentioned this pull request Oct 13, 2023
Closed
spiffcs
spiffcs approved these changes Oct 19, 2023
View reviewed changes
Copy link
Contributor

@spiffcs spiffcs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks for carving out this path to get a better artifact ID and the subsequent groupID changes. The examples were really easy to follow and the testing added is really clear.

I had a questions about the following:

When attempting to find if a pom.xml matches with an existing package, allow for the artifact ID to be a suffix of the filename (not just the filename as a prefix of the artifact ID as it is today)

Memory: I thought we had experimented with this in the past and found it surfaced too many incorrect pom.xml. Basically, suffix checks were too lose and the naming conventions in java were too broad to allow this kind of pom to be checked. Yes we might miss some things where this case exists, but limiting the data here was correct in that we were not getting more wrong hits than correct hits.

What was the trigger for making this change?

syft/pkg/cataloger/java/archive_parser.go
@@ -237,7 +237,7 @@ func (j *archiveParser) guessMainPackageNameAndVersionFromPomInfo() (name, versi
projects, _ := pomProjectByParentPath(j.archivePath, j.location, pomMatches)

for parentPath, propertiesObj := range properties {
if propertiesObj.ArtifactID != "" && j.fileInfo.name != "" && strings.HasPrefix(propertiesObj.ArtifactID, j.fileInfo.name) {
if artifactIDMatchesFilename(propertiesObj.ArtifactID, j.fileInfo.name) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to untangle this many thanks

@spiffcs
Copy link
Contributor

spiffcs commented Oct 19, 2023

Ahh - I'll fix the merge commit - apologies

@spiffcs
tests: fix test merge commit
f5478a5 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@wagoodman
Copy link
Contributor Author

@spiffcs

What was the trigger for making this change?

Essentially it was from taking a closer look at some of the artifacts referenced in the attached issues.

I thought we had experimented with this in the past and found it surfaced too many incorrect pom.xml

I can't recall the specifics of what was experimented on from 3-ish months ago, but this seems different than the original implementation from about a year ago.

@wagoodman wagoodman merged commit 07f1304 into main Oct 19, 2023
9 checks passed
@wagoodman wagoodman deleted the gid-aid-for-maven-bundle-plugin branch October 19, 2023 21:57
@coheigea coheigea mentioned this pull request Oct 20, 2023
Merged
wagoodman added a commit to anchore/grype that referenced this pull request Oct 20, 2023
@wagoodman
Incorporate Syft java detection improvements (#1555)
156c081 
* incorporate anchore/syft#2220

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* incorporate .net core improvements

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@chenrui333 chenrui333 mentioned this pull request Oct 21, 2023
Merged
@spiffcs spiffcs added the enhancement New feature or request label Oct 31, 2023
@wagoodman wagoodman mentioned this pull request Nov 15, 2023
Merged
@ddzzj ddzzj mentioned this pull request Nov 27, 2023
Open
@stnert stnert mentioned this pull request Nov 28, 2023
Open
@ekmixon ekmixon mentioned this pull request Nov 28, 2023
Open
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@wagoodman @spiffcs
Account for maven bundle plugin and fix filename matching (anchore#2220)
bf0517b 
* account for maven bundle plugin and fix filename matching

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add in-repo jar tests based on metadata to cover anchore#2130

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* tests: fix test merge commit

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Java archives not from Maven Java archive is listed twice
2 participants
@wagoodman @spiffcs