fix: improve groupid extraction for Jenkins plugins

Consider the `Group-Id` java manifest property as this is typically set for Jenkins plugins if there is no pom file Signed-off-by: Weston Steimel <commits@weston.slmail.me>
anchore · Jun 13, 2024 · 386f3fe · 386f3fe
1 parent ca0cc52
commit 386f3fe
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 26 deletions.
diff --git a/cmd/syft/internal/test/integration/java_purl_test.go b/cmd/syft/internal/test/integration/java_purl_test.go
@@ -51,17 +51,15 @@ var noAssertion = map[string]string{
  "/packages/TwilioNotifier.hpi:WEB-INF/lib/sdk-3.0.jar": "pkg:maven/sdk/sdk@3.0",
 
  // syft generates incorrect purls
- "/packages/akka-actor_2.13-2.6.6.jar": "pkg:maven/com.typesafe.akka/akka-actor_2.13@2.6.6",
- "/packages/akka-management-cluster-bootstrap_2.13-1.2.0.jar": "pkg:maven/com.lightbend.akka.management/akka-management-cluster-bootstrap_2.13@1.2.0",
- "/packages/hudson.war:WEB-INF/lib/asm-2.2.3.jar": "pkg:maven/asm/asm@2.2.3",
- "/packages/hudson.war:WEB-INF/lib/asm-commons-2.2.3.jar": "pkg:maven/asm/asm-commons@2.2.3",
- "/packages/hudson.war:WEB-INF/lib/asm-tree-2.2.3.jar": "pkg:maven/asm/asm-tree@2.2.3",
- "/packages/hudson.war:WEB-INF/slave.jar": "pkg:maven/org.jvnet.hudson.main/remoting@1.390",
- "/packages/hudson.war:WEB-INF/lib/xpp3_min-1.1.4c.jar": "pkg:maven/xpp3_min/xpp3_min@1.1.4c",
- "/packages/hudson.war:WEB-INF/lib/xpp3-1.1.4c.jar": "pkg:maven/xpp3/xpp3@1.1.4c",
- "/packages/hudson.war:WEB-INF/hudson-cli.jar": "pkg:maven/org.jvnet.hudson.main/hudson-cli@1.390",
- "/packages/hudson.war:WEB-INF/lib/dom4j-1.6.1-hudson-3.jar": "pkg:maven/org.jvnet.hudson.dom4j/dom4j@1.6.1-hudson-3",
- "/packages/xpp3_min-1.1.4c.jar": "pkg:maven/xpp3/xpp3_min@1.1.4c",
+ "/packages/hudson.war:WEB-INF/lib/asm-2.2.3.jar": "pkg:maven/asm/asm@2.2.3",
+ "/packages/hudson.war:WEB-INF/lib/asm-commons-2.2.3.jar": "pkg:maven/asm/asm-commons@2.2.3",
+ "/packages/hudson.war:WEB-INF/lib/asm-tree-2.2.3.jar": "pkg:maven/asm/asm-tree@2.2.3",
+ "/packages/hudson.war:WEB-INF/slave.jar": "pkg:maven/org.jvnet.hudson.main/remoting@1.390",
+ "/packages/hudson.war:WEB-INF/lib/xpp3_min-1.1.4c.jar": "pkg:maven/xpp3_min/xpp3_min@1.1.4c",
+ "/packages/hudson.war:WEB-INF/lib/xpp3-1.1.4c.jar": "pkg:maven/xpp3/xpp3@1.1.4c",
+ "/packages/hudson.war:WEB-INF/hudson-cli.jar": "pkg:maven/org.jvnet.hudson.main/hudson-cli@1.390",
+ "/packages/hudson.war:WEB-INF/lib/dom4j-1.6.1-hudson-3.jar": "pkg:maven/org.jvnet.hudson.dom4j/dom4j@1.6.1-hudson-3",
+ "/packages/xpp3_min-1.1.4c.jar": "pkg:maven/xpp3/xpp3_min@1.1.4c",
 
  // syft generates an unstable purl
  "/packages/dubbo-3.1.4.jar:org.apache.dubbo:dubbo-auth": "pkg:maven/org.apache.dubbo/dubbo-auth@3.1.4",
@@ -119,21 +117,21 @@ var noAssertion = map[string]string{
 // syft anchore/test_images:java-1abc58f -o json | jq -r '.artifacts.[] | [.metadata.virtualPath, .purl, ""] | @csv' | grep 'pkg:maven' | sort | uniq >> /tmp/java_artifacts_mapping.txt
 // The map was then hand-edited for correctness by comparing to Maven Central.
 var expectedPURLs = map[string]string{
- "/packages/activemq-client-5.18.2.jar": "pkg:maven/org.apache.activemq/activemq-client@5.18.2",
- "/packages/activemq-protobuf-1.1.jar": "pkg:maven/org.apache.activemq.protobuf/activemq-protobuf@1.1",
- // "/packages/akka-actor_2.13-2.6.6.jar":  "pkg:maven/com.typesafe.akka/akka-actor_2.13@2.6.6",
- // "/packages/akka-management-cluster-bootstrap_2.13-1.2.0.jar":  "pkg:maven/com.lightbend.akka.management/akka-management-cluster-bootstrap_2.13@1.2.0",
- "/packages/ant-1.10.3.jar": "pkg:maven/org.apache.ant/ant@1.10.3",
- "/packages/apache-chainsaw-2.1.0.jar": "pkg:maven/log4j/apache-chainsaw@2.1.0",
- "/packages/apache-log4j-extras-1.1.jar": "pkg:maven/log4j/apache-log4j-extras@1.1",
- "/packages/apoc-4.4.0.11.jar": "pkg:maven/org.neo4j.procedure/apoc@4.4.0.11",
- "/packages/bc-fips-1.0.2.3.jar": "pkg:maven/org.bouncycastle/bc-fips@1.0.2.3",
- "/packages/camel-core-3.1.0.jar": "pkg:maven/org.apache.camel/camel-core@3.1.0",
- "/packages/cassandra-all-4.1.1.jar": "pkg:maven/org.apache.cassandra/cassandra-all@4.1.1",
- "/packages/commons-logging-1.1.1.jar": "pkg:maven/commons-logging/commons-logging@1.1.1",
- "/packages/commons-vfs-1.0.jar": "pkg:maven/commons-vfs/commons-vfs@1.0",
- "/packages/cxf-rt-transports-http-2.7.3.jar": "pkg:maven/org.apache.cxf/cxf-rt-transports-http@2.7.3",
- "/packages/dubbo-3.1.4.jar:com.alibaba:hessian-lite": "pkg:maven/com.alibaba/hessian-lite@3.2.13",
+ "/packages/activemq-client-5.18.2.jar":  "pkg:maven/org.apache.activemq/activemq-client@5.18.2",
+ "/packages/activemq-protobuf-1.1.jar":  "pkg:maven/org.apache.activemq.protobuf/activemq-protobuf@1.1",
+ "/packages/akka-actor_2.13-2.6.6.jar": "pkg:maven/com.typesafe.akka/akka-actor_2.13@2.6.6",
+ "/packages/akka-management-cluster-bootstrap_2.13-1.2.0.jar": "pkg:maven/com.lightbend.akka.management/akka-management-cluster-bootstrap_2.13@1.2.0",
+ "/packages/ant-1.10.3.jar":  "pkg:maven/org.apache.ant/ant@1.10.3",
+ "/packages/apache-chainsaw-2.1.0.jar":  "pkg:maven/log4j/apache-chainsaw@2.1.0",
+ "/packages/apache-log4j-extras-1.1.jar":  "pkg:maven/log4j/apache-log4j-extras@1.1",
+ "/packages/apoc-4.4.0.11.jar":  "pkg:maven/org.neo4j.procedure/apoc@4.4.0.11",
+ "/packages/bc-fips-1.0.2.3.jar":  "pkg:maven/org.bouncycastle/bc-fips@1.0.2.3",
+ "/packages/camel-core-3.1.0.jar":  "pkg:maven/org.apache.camel/camel-core@3.1.0",
+ "/packages/cassandra-all-4.1.1.jar":  "pkg:maven/org.apache.cassandra/cassandra-all@4.1.1",
+ "/packages/commons-logging-1.1.1.jar":  "pkg:maven/commons-logging/commons-logging@1.1.1",
+ "/packages/commons-vfs-1.0.jar":  "pkg:maven/commons-vfs/commons-vfs@1.0",
+ "/packages/cxf-rt-transports-http-2.7.3.jar":  "pkg:maven/org.apache.cxf/cxf-rt-transports-http@2.7.3",
+ "/packages/dubbo-3.1.4.jar:com.alibaba:hessian-lite":  "pkg:maven/com.alibaba/hessian-lite@3.2.13",
  // "/packages/dubbo-3.1.4.jar:org.apache.dubbo:dubbo-auth": "pkg:maven/org.apache.dubbo/dubbo-auth@3.1.4",
  // "/packages/dubbo-3.1.4.jar:org.apache.dubbo:dubbo-cluster": "pkg:maven/org.apache.dubbo/dubbo-cluster@3.1.4",
  // "/packages/dubbo-3.1.4.jar:org.apache.dubbo:dubbo-common": "pkg:maven/org.apache.dubbo/dubbo-common@3.1.4",

diff --git a/syft/pkg/cataloger/internal/cpegenerate/java.go b/syft/pkg/cataloger/internal/cpegenerate/java.go
@@ -23,6 +23,7 @@ var (
  }
 
  PrimaryJavaManifestGroupIDFields = []string{
+ "Group-Id",
  "Bundle-SymbolicName",
  "Extension-Name",
  "Specification-Vendor",

diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go
@@ -147,9 +147,14 @@ func (j *archiveParser) parse(ctx context.Context) ([]pkg.Package, []artifact.Re
  p := &pkgs[i]
  if m, ok := p.Metadata.(pkg.JavaArchive); ok {
  p.PURL = packageURL(p.Name, p.Version, m)
+
+ if strings.Contains(p.PURL, "io.jenkins.plugins") || strings.Contains(p.PURL, "org.jenkins-ci.plugins") {
+ p.Type = pkg.JenkinsPluginPkg
+ }
  } else {
  log.WithFields("package", p.String()).Warn("unable to extract java metadata to generate purl")
  }
+
  p.SetID()
  }