feat: use java package names to determine known groupids (anchore#2032)

Signed-off-by: Keith Zantow <[email protected]>
GijsCalis · Aug 17, 2023 · 19e6b5e · 19e6b5e
1 parent 6187266
commit 19e6b5e
Show file tree

Hide file tree

Showing 4 changed files with 114 additions and 5 deletions.
diff --git a/syft/pkg/cataloger/common/cpe/java.go b/syft/pkg/cataloger/common/cpe/java.go
@@ -181,13 +181,13 @@ func GroupIDsFromJavaPackage(p pkg.Package) (groupIDs []string) {
 		return nil
 	}
 
-	return GroupIDsFromJavaMetadata(metadata)
+	return GroupIDsFromJavaMetadata(p.Name, metadata)
 }
 
-func GroupIDsFromJavaMetadata(metadata pkg.JavaMetadata) (groupIDs []string) {
+func GroupIDsFromJavaMetadata(pkgName string, metadata pkg.JavaMetadata) (groupIDs []string) {
 	groupIDs = append(groupIDs, groupIDsFromPomProperties(metadata.PomProperties)...)
 	groupIDs = append(groupIDs, groupIDsFromPomProject(metadata.PomProject)...)
-	groupIDs = append(groupIDs, groupIDsFromJavaManifest(metadata.Manifest)...)
+	groupIDs = append(groupIDs, groupIDsFromJavaManifest(pkgName, metadata.Manifest)...)
 
 	return groupIDs
 }
@@ -241,7 +241,11 @@ func addGroupIDsFromGroupIDsAndArtifactID(groupID, artifactID string) (groupIDs
 	return groupIDs
 }
 
-func groupIDsFromJavaManifest(manifest *pkg.JavaManifest) []string {
+func groupIDsFromJavaManifest(pkgName string, manifest *pkg.JavaManifest) []string {
+	if groupID, ok := defaultArtifactIDToGroupID[pkgName]; ok {
+		return []string{groupID}
+	}
+
 	if manifest == nil {
 		return nil
 	}

diff --git a/syft/pkg/cataloger/common/cpe/java_groupid_map.go b/syft/pkg/cataloger/common/cpe/java_groupid_map.go
@@ -0,0 +1,69 @@
+package cpe
+
+var defaultArtifactIDToGroupID = map[string]string{
+	"ant":                            "org.apache.ant",
+	"ant-antlr":                      "org.apache.ant",
+	"ant-antunit":                    "org.apache.ant",
+	"ant-apache-bcel":                "org.apache.ant",
+	"ant-apache-bsf":                 "org.apache.ant",
+	"ant-apache-log4j":               "org.apache.ant",
+	"ant-apache-oro":                 "org.apache.ant",
+	"ant-apache-regexp":              "org.apache.ant",
+	"ant-apache-resolver":            "org.apache.ant",
+	"ant-apache-xalan2":              "org.apache.ant",
+	"ant-commons-logging":            "org.apache.ant",
+	"ant-commons-net":                "org.apache.ant",
+	"ant-compress":                   "org.apache.ant",
+	"ant-dotnet":                     "org.apache.ant",
+	"ant-imageio":                    "org.apache.ant",
+	"ant-jai":                        "org.apache.ant",
+	"ant-jakartamail":                "org.apache.ant",
+	"ant-javamail":                   "org.apache.ant",
+	"ant-jdepend":                    "org.apache.ant",
+	"ant-jmf":                        "org.apache.ant",
+	"ant-jsch":                       "org.apache.ant",
+	"ant-junit":                      "org.apache.ant",
+	"ant-junit4":                     "org.apache.ant",
+	"ant-junitlauncher":              "org.apache.ant",
+	"ant-launcher":                   "org.apache.ant",
+	"ant-netrexx":                    "org.apache.ant",
+	"ant-nodeps":                     "org.apache.ant",
+	"ant-parent":                     "org.apache.ant",
+	"ant-starteam":                   "org.apache.ant",
+	"ant-stylebook":                  "org.apache.ant",
+	"ant-swing":                      "org.apache.ant",
+	"ant-testutil":                   "org.apache.ant",
+	"ant-trax":                       "org.apache.ant",
+	"ant-weblogic":                   "org.apache.ant",
+	"ant-xz":                         "org.apache.ant",
+	"spring":                         "org.springframework",
+	"spring-amqp":                    "org.springframework.amqp",
+	"spring-batch-core":              "org.springframework.batch",
+	"spring-beans":                   "org.springframework",
+	"spring-boot":                    "org.springframework.boot",
+	"spring-boot-starter-web":        "org.springframework.boot",
+	"spring-boot-starter-webflux":    "org.springframework.boot",
+	"spring-cloud-function-context":  "org.springframework.cloud",
+	"spring-cloud-function-parent":   "org.springframework.cloud",
+	"spring-cloud-gateway":           "org.springframework.cloud",
+	"spring-cloud-openfeign-core":    "org.springframework.cloud",
+	"spring-cloud-task-dependencies": "org.springframework.cloud",
+	"spring-core":                    "org.springframework",
+	"spring-data-jpa":                "org.springframework.data",
+	"spring-data-mongodb":            "org.springframework.data",
+	"spring-data-rest-core":          "org.springframework.data",
+	"spring-expression":              "org.springframework",
+	"spring-integration-zip":         "org.springframework.integration",
+	"spring-oxm":                     "org.springframework",
+	"spring-security-core":           "org.springframework.security",
+	"spring-security-config":         "org.springframework.security",
+	"spring-security-oauth":          "org.springframework.security.oauth",
+	"spring-security-oauth-parent":   "org.springframework.security.oauth",
+	"spring-security-oauth2-client":  "org.springframework.security",
+	"spring-session-core":            "org.springframework.session",
+	"spring-vault-core":              "org.springframework.vault",
+	"spring-web":                     "org.springframework",
+	"spring-webflow":                 "org.springframework.webflow",
+	"spring-webflux":                 "org.springframework",
+	"spring-webmvc":                  "org.springframework",
+}
diff --git a/syft/pkg/cataloger/common/cpe/java_test.go b/syft/pkg/cataloger/common/cpe/java_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/anchore/syft/syft/pkg"
 )
@@ -427,3 +428,38 @@ func Test_vendorsFromJavaManifestNames(t *testing.T) {
 		})
 	}
 }
+
+func Test_groupIDsFromJavaManifest(t *testing.T) {
+	tests := []struct {
+		name     string
+		manifest pkg.JavaManifest
+		expected []string
+	}{
+		{
+			name:     "spring-security-core",
+			manifest: pkg.JavaManifest{},
+			expected: []string{"org.springframework.security"},
+		},
+		{
+			name:     "spring-web",
+			manifest: pkg.JavaManifest{},
+			expected: []string{"org.springframework"},
+		},
+		{
+			name: "spring-foo",
+			manifest: pkg.JavaManifest{
+				Main: map[string]string{
+					"Implementation-Vendor": "org.foo",
+				},
+			},
+			expected: []string{"org.foo"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := groupIDsFromJavaManifest(test.name, &test.manifest)
+			require.Equal(t, test.expected, got)
+		})
+	}
+}
diff --git a/syft/pkg/cataloger/java/package_url.go b/syft/pkg/cataloger/java/package_url.go
@@ -9,7 +9,7 @@ import (
 // PackageURL returns the PURL for the specific java package (see https://github.com/package-url/purl-spec)
 func packageURL(name, version string, metadata pkg.JavaMetadata) string {
 	var groupID = name
-	groupIDs := cpe.GroupIDsFromJavaMetadata(metadata)
+	groupIDs := cpe.GroupIDsFromJavaMetadata(name, metadata)
 	if len(groupIDs) > 0 {
 		groupID = groupIDs[0]
 	}