From 0b174438b63818115c504fe6d3da975f16420e15 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Wed, 11 Oct 2023 17:17:47 -0400 Subject: [PATCH 1/3] account for maven bundle plugin and fix filename matching Signed-off-by: Alex Goodman --- syft/pkg/cataloger/java/archive_parser.go | 9 +- .../pkg/cataloger/java/archive_parser_test.go | 28 ++++++ .../pkg/cataloger/java/parse_java_manifest.go | 86 ++++++++++++++----- .../java/parse_java_manifest_test.go | 38 ++++++++ 4 files changed, 139 insertions(+), 22 deletions(-) diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go index 76de1534890..f3015d20c5d 100644 --- a/syft/pkg/cataloger/java/archive_parser.go +++ b/syft/pkg/cataloger/java/archive_parser.go @@ -237,7 +237,7 @@ func (j *archiveParser) guessMainPackageNameAndVersionFromPomInfo() (name, versi projects, _ := pomProjectByParentPath(j.archivePath, j.location, pomMatches) for parentPath, propertiesObj := range properties { - if propertiesObj.ArtifactID != "" && j.fileInfo.name != "" && strings.HasPrefix(propertiesObj.ArtifactID, j.fileInfo.name) { + if artifactIDMatchesFilename(propertiesObj.ArtifactID, j.fileInfo.name) { pomPropertiesObject = propertiesObj if proj, exists := projects[parentPath]; exists { pomProjectObject = proj @@ -256,6 +256,13 @@ func (j *archiveParser) guessMainPackageNameAndVersionFromPomInfo() (name, versi return name, version, pomProjectObject.Licenses } +func artifactIDMatchesFilename(artifactID, fileName string) bool { + if artifactID == "" || fileName == "" { + return false + } + return strings.HasPrefix(artifactID, fileName) || strings.HasSuffix(fileName, artifactID) +} + // discoverPkgsFromAllMavenFiles parses Maven POM properties/xml for a given // parent package, returning all listed Java packages found for each pom // properties discovered and potentially updating the given parentPkg with new diff --git a/syft/pkg/cataloger/java/archive_parser_test.go b/syft/pkg/cataloger/java/archive_parser_test.go index 78cbb2574fc..96a33ce7cdc 100644 --- a/syft/pkg/cataloger/java/archive_parser_test.go +++ b/syft/pkg/cataloger/java/archive_parser_test.go @@ -12,6 +12,7 @@ import ( "testing" "github.com/gookit/color" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/anchore/syft/internal" @@ -1004,3 +1005,30 @@ func Test_newPackageFromMavenData(t *testing.T) { }) } } + +func Test_artifactIDMatchesFilename(t *testing.T) { + tests := []struct { + name string + artifactID string + fileName string // without version or extension + want bool + }{ + { + name: "artifact id within file name", + artifactID: "atlassian-extras-api", + fileName: "com.atlassian.extras_atlassian-extras-api", + want: true, + }, + { + name: "file name within artifact id", + artifactID: "atlassian-extras-api-something", + fileName: "atlassian-extras-api", + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equal(t, tt.want, artifactIDMatchesFilename(tt.artifactID, tt.fileName)) + }) + } +} diff --git a/syft/pkg/cataloger/java/parse_java_manifest.go b/syft/pkg/cataloger/java/parse_java_manifest.go index f615da40603..688e59def04 100644 --- a/syft/pkg/cataloger/java/parse_java_manifest.go +++ b/syft/pkg/cataloger/java/parse_java_manifest.go @@ -109,27 +109,71 @@ func parseJavaManifest(path string, reader io.Reader) (*pkg.JavaManifest, error) } func selectName(manifest *pkg.JavaManifest, filenameObj archiveFilename) string { - var name string - switch { - case filenameObj.name != "": - name = filenameObj.name - case manifest.Main["Name"] != "": - // Manifest original spec... - name = manifest.Main["Name"] - case manifest.Main["Bundle-Name"] != "": - // BND tooling... - name = manifest.Main["Bundle-Name"] - case manifest.Main["Short-Name"] != "": - // Jenkins... - name = manifest.Main["Short-Name"] - case manifest.Main["Extension-Name"] != "": - // Jenkins... - name = manifest.Main["Extension-Name"] - case manifest.Main["Implementation-Title"] != "": - // last ditch effort... - name = manifest.Main["Implementation-Title"] - } - return name + // special case: from https://svn.apache.org/repos/asf/felix/releases/maven-bundle-plugin-1.2.0/doc/maven-bundle-plugin-bnd.html + // " is assumed to be "${groupId}.${artifactId}"." + // + // documentation from https://felix.apache.org/documentation/subprojects/apache-felix-maven-bundle-plugin-bnd.html + // agrees this is the default behavior: + // + // - [1] if artifact.getFile is not null and the jar contains a OSGi Manifest with Bundle-SymbolicName property then that value is returned + // + // - [2] if groupId has only one section (no dots) and artifact.getFile is not null then the first package name with classes + // is returned. eg. commons-logging:commons-logging -> org.apache.commons.logging + // + // - [3] if artifactId is equal to last section of groupId then groupId is returned. eg. org.apache.maven:maven -> org.apache.maven + // + // - [4] if artifactId starts with last section of groupId that portion is removed. eg. org.apache.maven:maven-core -> org.apache.maven.core + // The computed symbolic name is also stored in the $(maven-symbolicname) property in case you want to add attributes or directives to it. + // + if manifest != nil { + if strings.Contains(manifest.Main["Created-By"], "Apache Maven Bundle Plugin") { + if v := manifest.Main["Bundle-SymbolicName"]; v != "" { + // the problem with this approach is that we don't have a strong indication of the artifactId + // not having a "." in it. However, by convention it is unlikely that an artifactId would have a ".". + fields := strings.Split(v, ".") + + // grab the last field, this is the artifactId. Note: because of [3] we do not know if this value is + // correct. That is, a group id of "commons-logging" may have caused BND to swap out the reference to + // "org.apache.commons.logging", which means we'd interpret this as an artifact id of "logging", + // which is not correct. + // [correct] https://mvnrepository.com/artifact/commons-logging/commons-logging + // [still incorrect] https://mvnrepository.com/artifact/org.apache.commons.logging/org.apache.commons.logging + return fields[len(fields)-1] + } + } + } + + // the filename tends to be the next-best reference for the package name + if filenameObj.name != "" { + if strings.Contains(filenameObj.name, ".") { + // special case: this *might* be a group id + artifact id. By convention artifact ids do not have "." in them. + fields := strings.Split(filenameObj.name, ".") + return fields[len(fields)-1] + } + return filenameObj.name + } + + // remaining fields in the manifest is a bit of a free-for-all depending on the build tooling used and package maintainer preferences + if manifest != nil { + switch { + case manifest.Main["Name"] != "": + // Manifest original spec... + return manifest.Main["Name"] + case manifest.Main["Bundle-Name"] != "": + // BND tooling... TODO: this does not seem accurate (I don't see a reference in the BND tooling docs for this) + return manifest.Main["Bundle-Name"] + case manifest.Main["Short-Name"] != "": + // Jenkins... + return manifest.Main["Short-Name"] + case manifest.Main["Extension-Name"] != "": + // Jenkins... + return manifest.Main["Extension-Name"] + case manifest.Main["Implementation-Title"] != "": + // last ditch effort... + return manifest.Main["Implementation-Title"] + } + } + return "" } func selectVersion(manifest *pkg.JavaManifest, filenameObj archiveFilename) string { diff --git a/syft/pkg/cataloger/java/parse_java_manifest_test.go b/syft/pkg/cataloger/java/parse_java_manifest_test.go index 231cd7c981b..3438b9de030 100644 --- a/syft/pkg/cataloger/java/parse_java_manifest_test.go +++ b/syft/pkg/cataloger/java/parse_java_manifest_test.go @@ -160,6 +160,44 @@ func TestSelectName(t *testing.T) { archive: newJavaArchiveFilename("/something/omg.jar"), expected: "omg", }, + { + desc: "Use the artifact ID baked by the Apache Maven Bundle Plugin", + manifest: pkg.JavaManifest{ + Main: map[string]string{ + "Created-By": "Apache Maven Bundle Plugin", + "Bundle-SymbolicName": "com.atlassian.gadgets.atlassian-gadgets-api", + "Name": "foo", + "Implementation-Title": "maven-wrapper", + }, + }, + archive: newJavaArchiveFilename("/something/omg.jar"), + expected: "atlassian-gadgets-api", + }, + { + // example: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-beans@5.3.26_1 + desc: "Apache Maven Bundle Plugin might bake a version in the created-by field", + manifest: pkg.JavaManifest{ + Main: map[string]string{ + "Created-By": "Apache Maven Bundle Plugin 5.1.6", + "Bundle-SymbolicName": "com.atlassian.gadgets.atlassian-gadgets-api", + "Name": "foo", + "Implementation-Title": "maven-wrapper", + }, + }, + archive: newJavaArchiveFilename("/something/omg.jar"), + expected: "atlassian-gadgets-api", + }, + { + desc: "Filename looks like a groupid + artifact id", + manifest: pkg.JavaManifest{ + Main: map[string]string{ + "Name": "foo", + "Implementation-Title": "maven-wrapper", + }, + }, + archive: newJavaArchiveFilename("/something/com.atlassian.gadgets.atlassian-gadgets-api.jar"), + expected: "atlassian-gadgets-api", + }, } for _, test := range tests { From 237cffc1b481cde1cf66bdf2050e96d46c348a79 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Thu, 12 Oct 2023 10:18:48 -0400 Subject: [PATCH 2/3] add in-repo jar tests based on metadata to cover #2130 Signed-off-by: Alex Goodman --- .../pkg/cataloger/java/archive_parser_test.go | 242 ++++++++++--- .../test-fixtures/jar-metadata/.gitignore | 1 + .../java/test-fixtures/jar-metadata/Makefile | 14 + .../java/test-fixtures/jar-metadata/README.md | 5 + .../META-INF/MANIFEST.MF | 25 ++ .../jackson-core/pom.xml | 323 ++++++++++++++++++ .../jackson-core-2.15.2/META-INF/MANIFEST.MF | 25 ++ .../jackson-core/pom.xml | 323 ++++++++++++++++++ 8 files changed, 917 insertions(+), 41 deletions(-) create mode 100644 syft/pkg/cataloger/java/test-fixtures/jar-metadata/.gitignore create mode 100644 syft/pkg/cataloger/java/test-fixtures/jar-metadata/Makefile create mode 100644 syft/pkg/cataloger/java/test-fixtures/jar-metadata/README.md create mode 100644 syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/MANIFEST.MF create mode 100644 syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml create mode 100644 syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/MANIFEST.MF create mode 100644 syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml diff --git a/syft/pkg/cataloger/java/archive_parser_test.go b/syft/pkg/cataloger/java/archive_parser_test.go index 96a33ce7cdc..d1ccec28d41 100644 --- a/syft/pkg/cataloger/java/archive_parser_test.go +++ b/syft/pkg/cataloger/java/archive_parser_test.go @@ -11,11 +11,13 @@ import ( "syscall" "testing" + "github.com/google/go-cmp/cmp/cmpopts" "github.com/gookit/color" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/anchore/syft/internal" + "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/license" "github.com/anchore/syft/syft/pkg" @@ -39,47 +41,7 @@ func generateJavaBuildFixture(t *testing.T, fixturePath string) { cmd := exec.Command("make", makeTask) cmd.Dir = filepath.Join(cwd, "test-fixtures/java-builds/") - stderr, err := cmd.StderrPipe() - if err != nil { - t.Fatalf("could not get stderr: %+v", err) - } - stdout, err := cmd.StdoutPipe() - if err != nil { - t.Fatalf("could not get stdout: %+v", err) - } - - err = cmd.Start() - if err != nil { - t.Fatalf("failed to start cmd: %+v", err) - } - - show := func(label string, reader io.ReadCloser) { - scanner := bufio.NewScanner(reader) - scanner.Split(bufio.ScanLines) - for scanner.Scan() { - t.Logf("%s: %s", label, scanner.Text()) - } - } - go show("out", stdout) - go show("err", stderr) - - if err := cmd.Wait(); err != nil { - if exiterr, ok := err.(*exec.ExitError); ok { - // The program has exited with an exit code != 0 - - // This works on both Unix and Windows. Although package - // syscall is generally platform dependent, WaitStatus is - // defined for both Unix and Windows and in both cases has - // an ExitStatus() method with the same signature. - if status, ok := exiterr.Sys().(syscall.WaitStatus); ok { - if status.ExitStatus() != 0 { - t.Fatalf("failed to generate fixture: rc=%d", status.ExitStatus()) - } - } - } else { - t.Fatalf("unable to get generate fixture result: %+v", err) - } - } + run(t, cmd) } func TestParseJar(t *testing.T) { @@ -1032,3 +994,201 @@ func Test_artifactIDMatchesFilename(t *testing.T) { }) } } + +func Test_parseJavaArchive_regressions(t *testing.T) { + tests := []struct { + name string + fixtureName string + expectedPkgs []pkg.Package + expectedRelationships []artifact.Relationship + want bool + }{ + { + name: "duplicate jar regression - go case (issue #2130)", + fixtureName: "jackson-core-2.15.2", + expectedPkgs: []pkg.Package{ + { + Name: "jackson-core", + Version: "2.15.2", + Type: pkg.JavaPkg, + Language: pkg.Java, + MetadataType: pkg.JavaMetadataType, + PURL: "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2", + Locations: file.NewLocationSet(file.NewLocation("test-fixtures/jar-metadata/cache/jackson-core-2.15.2.jar")), + Licenses: pkg.NewLicenseSet( + pkg.NewLicensesFromLocation( + file.NewLocation("test-fixtures/jar-metadata/cache/jackson-core-2.15.2.jar"), + "https://www.apache.org/licenses/LICENSE-2.0.txt", + )..., + ), + Metadata: pkg.JavaMetadata{ + VirtualPath: "test-fixtures/jar-metadata/cache/jackson-core-2.15.2.jar", + Manifest: &pkg.JavaManifest{ + Main: map[string]string{ + "Build-Jdk-Spec": "1.8", + "Bundle-Description": "Core Jackson processing abstractions", + "Bundle-DocURL": "https://github.com/FasterXML/jackson-core", + "Bundle-License": "https://www.apache.org/licenses/LICENSE-2.0.txt", + "Bundle-ManifestVersion": "2", + "Bundle-Name": "Jackson-core", + "Bundle-SymbolicName": "com.fasterxml.jackson.core.jackson-core", + "Bundle-Vendor": "FasterXML", + "Bundle-Version": "2.15.2", + "Created-By": "Apache Maven Bundle Plugin 5.1.8", + "Export-Package": "com.fasterxml.jackson.core;version...snip", + "Implementation-Title": "Jackson-core", + "Implementation-Vendor": "FasterXML", + "Implementation-Vendor-Id": "com.fasterxml.jackson.core", + "Implementation-Version": "2.15.2", + "Import-Package": "com.fasterxml.jackson.core;version=...snip", + "Manifest-Version": "1.0", + "Multi-Release": "true", + "Require-Capability": `osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"`, + "Specification-Title": "Jackson-core", + "Specification-Vendor": "FasterXML", + "Specification-Version": "2.15.2", + "Tool": "Bnd-6.3.1.202206071316", + "X-Compile-Source-JDK": "1.8", + "X-Compile-Target-JDK": "1.8", + }, + }, + // not under test + //ArchiveDigests: []file.Digest{{Algorithm: "sha1", Value: "d8bc1d9c428c96fe447e2c429fc4304d141024df"}}, + }, + }, + }, + }, + { + name: "duplicate jar regression - bad case (issue #2130)", + fixtureName: "com.fasterxml.jackson.core.jackson-core-2.15.2", + expectedPkgs: []pkg.Package{ + { + Name: "jackson-core", + Version: "2.15.2", + Type: pkg.JavaPkg, + Language: pkg.Java, + MetadataType: pkg.JavaMetadataType, + PURL: "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2", + Locations: file.NewLocationSet(file.NewLocation("test-fixtures/jar-metadata/cache/com.fasterxml.jackson.core.jackson-core-2.15.2.jar")), + Licenses: pkg.NewLicenseSet( + pkg.NewLicensesFromLocation( + file.NewLocation("test-fixtures/jar-metadata/cache/com.fasterxml.jackson.core.jackson-core-2.15.2.jar"), + "https://www.apache.org/licenses/LICENSE-2.0.txt", + )..., + ), + Metadata: pkg.JavaMetadata{ + VirtualPath: "test-fixtures/jar-metadata/cache/com.fasterxml.jackson.core.jackson-core-2.15.2.jar", + Manifest: &pkg.JavaManifest{ + Main: map[string]string{ + "Build-Jdk-Spec": "1.8", + "Bundle-Description": "Core Jackson processing abstractions", + "Bundle-DocURL": "https://github.com/FasterXML/jackson-core", + "Bundle-License": "https://www.apache.org/licenses/LICENSE-2.0.txt", + "Bundle-ManifestVersion": "2", + "Bundle-Name": "Jackson-core", + "Bundle-SymbolicName": "com.fasterxml.jackson.core.jackson-core", + "Bundle-Vendor": "FasterXML", + "Bundle-Version": "2.15.2", + "Created-By": "Apache Maven Bundle Plugin 5.1.8", + "Export-Package": "com.fasterxml.jackson.core;version...snip", + "Implementation-Title": "Jackson-core", + "Implementation-Vendor": "FasterXML", + "Implementation-Vendor-Id": "com.fasterxml.jackson.core", + "Implementation-Version": "2.15.2", + "Import-Package": "com.fasterxml.jackson.core;version=...snip", + "Manifest-Version": "1.0", + "Multi-Release": "true", + "Require-Capability": `osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"`, + "Specification-Title": "Jackson-core", + "Specification-Vendor": "FasterXML", + "Specification-Version": "2.15.2", + "Tool": "Bnd-6.3.1.202206071316", + "X-Compile-Source-JDK": "1.8", + "X-Compile-Target-JDK": "1.8", + }, + }, + // not under test + //ArchiveDigests: []file.Digest{{Algorithm: "sha1", Value: "abd3e329270fc54a2acaceb45420fd5710ecefd5"}}, + }, + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, generateJavaMetadataJarFixture(t, tt.fixtureName)). + Expects(tt.expectedPkgs, tt.expectedRelationships). + WithCompareOptions(cmpopts.IgnoreFields(pkg.JavaMetadata{}, "ArchiveDigests")). + TestParser(t, parseJavaArchive) + }) + } +} + +func generateJavaMetadataJarFixture(t *testing.T, fixtureName string) string { + fixturePath := filepath.Join("test-fixtures/jar-metadata/cache/", fixtureName+".jar") + if _, err := os.Stat(fixturePath); !os.IsNotExist(err) { + // fixture already exists... + return fixturePath + } + + makeTask := filepath.Join("cache", fixtureName+".jar") + t.Logf(color.Bold.Sprintf("Generating Fixture from 'make %s'", makeTask)) + + cwd, err := os.Getwd() + if err != nil { + t.Errorf("unable to get cwd: %+v", err) + } + + cmd := exec.Command("make", makeTask) + cmd.Dir = filepath.Join(cwd, "test-fixtures/jar-metadata") + + run(t, cmd) + + return fixturePath +} + +func run(t testing.TB, cmd *exec.Cmd) { + + stderr, err := cmd.StderrPipe() + if err != nil { + t.Fatalf("could not get stderr: %+v", err) + } + stdout, err := cmd.StdoutPipe() + if err != nil { + t.Fatalf("could not get stdout: %+v", err) + } + + err = cmd.Start() + if err != nil { + t.Fatalf("failed to start cmd: %+v", err) + } + + show := func(label string, reader io.ReadCloser) { + scanner := bufio.NewScanner(reader) + scanner.Split(bufio.ScanLines) + for scanner.Scan() { + t.Logf("%s: %s", label, scanner.Text()) + } + } + go show("out", stdout) + go show("err", stderr) + + if err := cmd.Wait(); err != nil { + if exiterr, ok := err.(*exec.ExitError); ok { + // The program has exited with an exit code != 0 + + // This works on both Unix and Windows. Although package + // syscall is generally platform dependent, WaitStatus is + // defined for both Unix and Windows and in both cases has + // an ExitStatus() method with the same signature. + if status, ok := exiterr.Sys().(syscall.WaitStatus); ok { + if status.ExitStatus() != 0 { + t.Fatalf("failed to generate fixture: rc=%d", status.ExitStatus()) + } + } + } else { + t.Fatalf("unable to get generate fixture result: %+v", err) + } + } +} diff --git a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/.gitignore b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/.gitignore new file mode 100644 index 00000000000..b49a22ad0d5 --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/.gitignore @@ -0,0 +1 @@ +/cache \ No newline at end of file diff --git a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/Makefile b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/Makefile new file mode 100644 index 00000000000..6f2398820ee --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/Makefile @@ -0,0 +1,14 @@ +CACHE_DIR = cache +CACHE_PATH = $(shell pwd)/cache + +JACKSON_CORE = jackson-core-2.15.2 +SBT_JACKSON_CORE = com.fasterxml.jackson.core.jackson-core-2.15.2 + +$(CACHE_DIR): + mkdir -p $(CACHE_DIR) + +$(CACHE_DIR)/$(JACKSON_CORE).jar: $(CACHE_DIR) + cd $(JACKSON_CORE) && zip -r $(CACHE_PATH)/$(JACKSON_CORE).jar . + +$(CACHE_DIR)/$(SBT_JACKSON_CORE).jar: $(CACHE_DIR) + cd $(SBT_JACKSON_CORE) && zip -r $(CACHE_PATH)/$(SBT_JACKSON_CORE).jar . diff --git a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/README.md b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/README.md new file mode 100644 index 00000000000..dfb2a348954 --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/README.md @@ -0,0 +1,5 @@ +# Jar-Metadata test fixtures + +Each directory is the name of a jar to be created (simply a zip) based on the contents of the directory. +This prevents us from having to create real jars by hand or keep binaries in the repo. This also means we dont need the +entire jar, only the necessary metadata for testing. diff --git a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/MANIFEST.MF b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/MANIFEST.MF new file mode 100644 index 00000000000..1709298548b --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/MANIFEST.MF @@ -0,0 +1,25 @@ +Manifest-Version: 1.0 +Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt +Bundle-SymbolicName: com.fasterxml.jackson.core.jackson-core +Implementation-Vendor-Id: com.fasterxml.jackson.core +Specification-Title: Jackson-core +Bundle-DocURL: https://github.com/FasterXML/jackson-core +Import-Package: com.fasterxml.jackson.core;version=...snip +Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" +Export-Package: com.fasterxml.jackson.core;version...snip +Bundle-Name: Jackson-core +Multi-Release: true +Build-Jdk-Spec: 1.8 +Bundle-Description: Core Jackson processing abstractions +Implementation-Title: Jackson-core +Implementation-Version: 2.15.2 +Bundle-ManifestVersion: 2 +Specification-Vendor: FasterXML +Bundle-Vendor: FasterXML +Tool: Bnd-6.3.1.202206071316 +Implementation-Vendor: FasterXML +Bundle-Version: 2.15.2 +X-Compile-Target-JDK: 1.8 +X-Compile-Source-JDK: 1.8 +Created-By: Apache Maven Bundle Plugin 5.1.8 +Specification-Version: 2.15.2 diff --git a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml new file mode 100644 index 00000000000..7484574e8a0 --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml @@ -0,0 +1,323 @@ + + + + + + + 4.0.0 + + com.fasterxml.jackson + jackson-base + 2.15.2 + + com.fasterxml.jackson.core + jackson-core + Jackson-core + 2.15.2 + jar + Core Jackson processing abstractions (aka Streaming API), implementation for JSON + + + The Apache Software License, Version 2.0 + https://www.apache.org/licenses/LICENSE-2.0.txt + repo + + + 2008 + + https://github.com/FasterXML/jackson-core + + scm:git:git@github.com:FasterXML/jackson-core.git + scm:git:git@github.com:FasterXML/jackson-core.git + https://github.com/FasterXML/jackson-core + jackson-core-2.15.2 + + + + + + + 26 + 0.5.1 + + com.fasterxml.jackson.core;version=${project.version}, +com.fasterxml.jackson.core.*;version=${project.version} + + !ch.randelshofer.fastdoubleparser, * + + + com/fasterxml/jackson/core/json + ${project.groupId}.json + + + 2023-05-30T22:15:40Z + + + + + + sonatype-nexus-snapshots + Sonatype Nexus Snapshots + https://oss.sonatype.org/content/repositories/snapshots + false + true + + + + + + + org.junit + junit-bom + 5.9.2 + pom + import + + + + + + + + + + + org.jacoco + jacoco-maven-plugin + + + + prepare-agent + + + + report + test + + report + + + + + + + + maven-enforcer-plugin + + + enforce-properties + validate + enforce + + + + + + org.apache.maven.plugins + maven-site-plugin + + + org.apache.maven.plugins + maven-surefire-plugin + ${version.plugin.surefire} + + ${surefire.redirectTestOutputToFile} + + **/failing/**/*.java + + + + + + + com.google.code.maven-replacer-plugin + replacer + + + + + org.moditect + moditect-maven-plugin + + + + org.codehaus.mojo + build-helper-maven-plugin + + + + org.apache.maven.plugins + maven-shade-plugin + + true + true + true + + + + shade-jackson-core + package + + shade + + + + + ch.randelshofer:fastdoubleparser + + META-INF/versions/**/module-info.* + + + + + + ch/randelshofer/fastdoubleparser + com/fasterxml/jackson/core/io/doubleparser + + + META-INF/LICENSE + META-INF/FastDoubleParser-LICENSE + + + META-INF/NOTICE + META-INF/FastDoubleParser-NOTICE + + + META-INF/jackson-core-LICENSE + META-INF/LICENSE + + + META-INF/jackson-core-NOTICE + META-INF/NOTICE + + + META-INF/versions/11/ch/randelshofer/fastdoubleparser + META-INF/versions/11/com/fasterxml/jackson/core/io/doubleparser + + + META-INF/versions/17/ch/randelshofer/fastdoubleparser + META-INF/versions/17/com/fasterxml/jackson/core/io/doubleparser + + + META-INF/versions/19/ch/randelshofer/fastdoubleparser + META-INF/versions/19/com/fasterxml/jackson/core/io/doubleparser + + + + + + + + + de.jjohannes + gradle-module-metadata-maven-plugin + + + + + ch.randelshofer + fastdoubleparser + + + + + + + org.apache.maven.plugins + maven-jar-plugin + + + + true + + + + + + + + io.github.floverfelt + find-and-replace-maven-plugin + 1.1.0 + + + exec + package + + find-and-replace + + + file-contents + ${basedir} + 4.0.0]]> + dependency-reduced-pom.xml + + + + + + 4.0.0]]> + false + + + + + + + + org.codehaus.mojo + animal-sniffer-maven-plugin + 1.22 + + + com.toasttab.android + gummy-bears-api-${version.android.sdk} + ${version.android.sdk.signature} + + + + + + + + + + ch.randelshofer + fastdoubleparser + 0.9.0 + + + + org.junit.vintage + junit-vintage-engine + test + + + org.junit.jupiter + junit-jupiter + test + + + + diff --git a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/MANIFEST.MF b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/MANIFEST.MF new file mode 100644 index 00000000000..1709298548b --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/MANIFEST.MF @@ -0,0 +1,25 @@ +Manifest-Version: 1.0 +Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt +Bundle-SymbolicName: com.fasterxml.jackson.core.jackson-core +Implementation-Vendor-Id: com.fasterxml.jackson.core +Specification-Title: Jackson-core +Bundle-DocURL: https://github.com/FasterXML/jackson-core +Import-Package: com.fasterxml.jackson.core;version=...snip +Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" +Export-Package: com.fasterxml.jackson.core;version...snip +Bundle-Name: Jackson-core +Multi-Release: true +Build-Jdk-Spec: 1.8 +Bundle-Description: Core Jackson processing abstractions +Implementation-Title: Jackson-core +Implementation-Version: 2.15.2 +Bundle-ManifestVersion: 2 +Specification-Vendor: FasterXML +Bundle-Vendor: FasterXML +Tool: Bnd-6.3.1.202206071316 +Implementation-Vendor: FasterXML +Bundle-Version: 2.15.2 +X-Compile-Target-JDK: 1.8 +X-Compile-Source-JDK: 1.8 +Created-By: Apache Maven Bundle Plugin 5.1.8 +Specification-Version: 2.15.2 diff --git a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml new file mode 100644 index 00000000000..7484574e8a0 --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml @@ -0,0 +1,323 @@ + + + + + + + 4.0.0 + + com.fasterxml.jackson + jackson-base + 2.15.2 + + com.fasterxml.jackson.core + jackson-core + Jackson-core + 2.15.2 + jar + Core Jackson processing abstractions (aka Streaming API), implementation for JSON + + + The Apache Software License, Version 2.0 + https://www.apache.org/licenses/LICENSE-2.0.txt + repo + + + 2008 + + https://github.com/FasterXML/jackson-core + + scm:git:git@github.com:FasterXML/jackson-core.git + scm:git:git@github.com:FasterXML/jackson-core.git + https://github.com/FasterXML/jackson-core + jackson-core-2.15.2 + + + + + + + 26 + 0.5.1 + + com.fasterxml.jackson.core;version=${project.version}, +com.fasterxml.jackson.core.*;version=${project.version} + + !ch.randelshofer.fastdoubleparser, * + + + com/fasterxml/jackson/core/json + ${project.groupId}.json + + + 2023-05-30T22:15:40Z + + + + + + sonatype-nexus-snapshots + Sonatype Nexus Snapshots + https://oss.sonatype.org/content/repositories/snapshots + false + true + + + + + + + org.junit + junit-bom + 5.9.2 + pom + import + + + + + + + + + + + org.jacoco + jacoco-maven-plugin + + + + prepare-agent + + + + report + test + + report + + + + + + + + maven-enforcer-plugin + + + enforce-properties + validate + enforce + + + + + + org.apache.maven.plugins + maven-site-plugin + + + org.apache.maven.plugins + maven-surefire-plugin + ${version.plugin.surefire} + + ${surefire.redirectTestOutputToFile} + + **/failing/**/*.java + + + + + + + com.google.code.maven-replacer-plugin + replacer + + + + + org.moditect + moditect-maven-plugin + + + + org.codehaus.mojo + build-helper-maven-plugin + + + + org.apache.maven.plugins + maven-shade-plugin + + true + true + true + + + + shade-jackson-core + package + + shade + + + + + ch.randelshofer:fastdoubleparser + + META-INF/versions/**/module-info.* + + + + + + ch/randelshofer/fastdoubleparser + com/fasterxml/jackson/core/io/doubleparser + + + META-INF/LICENSE + META-INF/FastDoubleParser-LICENSE + + + META-INF/NOTICE + META-INF/FastDoubleParser-NOTICE + + + META-INF/jackson-core-LICENSE + META-INF/LICENSE + + + META-INF/jackson-core-NOTICE + META-INF/NOTICE + + + META-INF/versions/11/ch/randelshofer/fastdoubleparser + META-INF/versions/11/com/fasterxml/jackson/core/io/doubleparser + + + META-INF/versions/17/ch/randelshofer/fastdoubleparser + META-INF/versions/17/com/fasterxml/jackson/core/io/doubleparser + + + META-INF/versions/19/ch/randelshofer/fastdoubleparser + META-INF/versions/19/com/fasterxml/jackson/core/io/doubleparser + + + + + + + + + de.jjohannes + gradle-module-metadata-maven-plugin + + + + + ch.randelshofer + fastdoubleparser + + + + + + + org.apache.maven.plugins + maven-jar-plugin + + + + true + + + + + + + + io.github.floverfelt + find-and-replace-maven-plugin + 1.1.0 + + + exec + package + + find-and-replace + + + file-contents + ${basedir} + 4.0.0]]> + dependency-reduced-pom.xml + + + + + + 4.0.0]]> + false + + + + + + + + org.codehaus.mojo + animal-sniffer-maven-plugin + 1.22 + + + com.toasttab.android + gummy-bears-api-${version.android.sdk} + ${version.android.sdk.signature} + + + + + + + + + + ch.randelshofer + fastdoubleparser + 0.9.0 + + + + org.junit.vintage + junit-vintage-engine + test + + + org.junit.jupiter + junit-jupiter + test + + + + From f5478a5bd7350b6890c4e45a0b41f0413bbeb04b Mon Sep 17 00:00:00 2001 From: Christopher Phillips Date: Thu, 19 Oct 2023 13:54:07 -0400 Subject: [PATCH 3/3] tests: fix test merge commit Signed-off-by: Christopher Phillips --- syft/pkg/cataloger/java/archive_parser_test.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/syft/pkg/cataloger/java/archive_parser_test.go b/syft/pkg/cataloger/java/archive_parser_test.go index 2298a8b0cc4..5a703707139 100644 --- a/syft/pkg/cataloger/java/archive_parser_test.go +++ b/syft/pkg/cataloger/java/archive_parser_test.go @@ -13,13 +13,11 @@ import ( "github.com/google/go-cmp/cmp/cmpopts" "github.com/gookit/color" - "github.com/scylladb/go-set/strset" + "github.com/scylladb/go-set/strset" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/anchore/syft/internal" "github.com/anchore/syft/syft/artifact" - "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/license" "github.com/anchore/syft/syft/pkg"