Account for maven bundle plugin and fix filename matching (#2220)

* account for maven bundle plugin and fix filename matching Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add in-repo jar tests based on metadata to cover #2130 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * tests: fix test merge commit Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2025-11-17 16:33:21 +01:00 · 2023-10-19 17:57:23 -04:00 · 2023-10-19 17:57:23 -04:00 · 07f13049da
commit 07f13049da
parent 6c7900f5b8
11 changed files with 1055 additions and 62 deletions
--- a/syft/pkg/cataloger/java/archive_parser.go
+++ b/syft/pkg/cataloger/java/archive_parser.go
@ -257,7 +257,7 @@ func (j *archiveParser) guessMainPackageNameAndVersionFromPomInfo() (name, versi
 		projects, _ := pomProjectByParentPath(j.archivePath, j.location, pomMatches)

 		for parentPath, propertiesObj := range properties {
-			if propertiesObj.ArtifactID != "" && j.fileInfo.name != "" && strings.HasPrefix(propertiesObj.ArtifactID, j.fileInfo.name) {
+			if artifactIDMatchesFilename(propertiesObj.ArtifactID, j.fileInfo.name) {
 				pomPropertiesObject = propertiesObj
 				if proj, exists := projects[parentPath]; exists {
 					pomProjectObject = proj
@ -276,6 +276,13 @@ func (j *archiveParser) guessMainPackageNameAndVersionFromPomInfo() (name, versi
 	return name, version, pomProjectObject.Licenses
 }

+func artifactIDMatchesFilename(artifactID, fileName string) bool {
+	if artifactID == "" || fileName == "" {
+		return false
+	}
+	return strings.HasPrefix(artifactID, fileName) || strings.HasSuffix(fileName, artifactID)
+}
+
 // discoverPkgsFromAllMavenFiles parses Maven POM properties/xml for a given
 // parent package, returning all listed Java packages found for each pom
 // properties discovered and potentially updating the given parentPkg with new
--- a/syft/pkg/cataloger/java/archive_parser_test.go
+++ b/syft/pkg/cataloger/java/archive_parser_test.go
@ -11,10 +11,13 @@ import (
 	"syscall"
 	"testing"

+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/gookit/color"
 	"github.com/scylladb/go-set/strset"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/license"
 	"github.com/anchore/syft/syft/pkg"
@ -38,47 +41,7 @@ func generateJavaBuildFixture(t *testing.T, fixturePath string) {
 	cmd := exec.Command("make", makeTask)
 	cmd.Dir = filepath.Join(cwd, "test-fixtures/java-builds/")

-	stderr, err := cmd.StderrPipe()
-	if err != nil {
-		t.Fatalf("could not get stderr: %+v", err)
-	}
-	stdout, err := cmd.StdoutPipe()
-	if err != nil {
-		t.Fatalf("could not get stdout: %+v", err)
-	}
-
-	err = cmd.Start()
-	if err != nil {
-		t.Fatalf("failed to start cmd: %+v", err)
-	}
-
-	show := func(label string, reader io.ReadCloser) {
-		scanner := bufio.NewScanner(reader)
-		scanner.Split(bufio.ScanLines)
-		for scanner.Scan() {
-			t.Logf("%s: %s", label, scanner.Text())
-		}
-	}
-	go show("out", stdout)
-	go show("err", stderr)
-
-	if err := cmd.Wait(); err != nil {
-		if exiterr, ok := err.(*exec.ExitError); ok {
-			// The program has exited with an exit code != 0
-
-			// This works on both Unix and Windows. Although package
-			// syscall is generally platform dependent, WaitStatus is
-			// defined for both Unix and Windows and in both cases has
-			// an ExitStatus() method with the same signature.
-			if status, ok := exiterr.Sys().(syscall.WaitStatus); ok {
-				if status.ExitStatus() != 0 {
-					t.Fatalf("failed to generate fixture: rc=%d", status.ExitStatus())
-				}
-			}
-		} else {
-			t.Fatalf("unable to get generate fixture result: %+v", err)
-		}
-	}
+	run(t, cmd)
 }

 func TestParseJar(t *testing.T) {
@ -1020,3 +983,228 @@ func Test_newPackageFromMavenData(t *testing.T) {
 		})
 	}
 }
+
+func Test_artifactIDMatchesFilename(t *testing.T) {
+	tests := []struct {
+		name       string
+		artifactID string
+		fileName   string // without version or extension
+		want       bool
+	}{
+		{
+			name:       "artifact id within file name",
+			artifactID: "atlassian-extras-api",
+			fileName:   "com.atlassian.extras_atlassian-extras-api",
+			want:       true,
+		},
+		{
+			name:       "file name within artifact id",
+			artifactID: "atlassian-extras-api-something",
+			fileName:   "atlassian-extras-api",
+			want:       true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, artifactIDMatchesFilename(tt.artifactID, tt.fileName))
+		})
+	}
+}
+
+func Test_parseJavaArchive_regressions(t *testing.T) {
+	tests := []struct {
+		name                  string
+		fixtureName           string
+		expectedPkgs          []pkg.Package
+		expectedRelationships []artifact.Relationship
+		want                  bool
+	}{
+		{
+			name:        "duplicate jar regression - go case (issue #2130)",
+			fixtureName: "jackson-core-2.15.2",
+			expectedPkgs: []pkg.Package{
+				{
+					Name:         "jackson-core",
+					Version:      "2.15.2",
+					Type:         pkg.JavaPkg,
+					Language:     pkg.Java,
+					MetadataType: pkg.JavaMetadataType,
+					PURL:         "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2",
+					Locations:    file.NewLocationSet(file.NewLocation("test-fixtures/jar-metadata/cache/jackson-core-2.15.2.jar")),
+					Licenses: pkg.NewLicenseSet(
+						pkg.NewLicensesFromLocation(
+							file.NewLocation("test-fixtures/jar-metadata/cache/jackson-core-2.15.2.jar"),
+							"https://www.apache.org/licenses/LICENSE-2.0.txt",
+						)...,
+					),
+					Metadata: pkg.JavaMetadata{
+						VirtualPath: "test-fixtures/jar-metadata/cache/jackson-core-2.15.2.jar",
+						Manifest: &pkg.JavaManifest{
+							Main: map[string]string{
+								"Build-Jdk-Spec":           "1.8",
+								"Bundle-Description":       "Core Jackson processing abstractions",
+								"Bundle-DocURL":            "https://github.com/FasterXML/jackson-core",
+								"Bundle-License":           "https://www.apache.org/licenses/LICENSE-2.0.txt",
+								"Bundle-ManifestVersion":   "2",
+								"Bundle-Name":              "Jackson-core",
+								"Bundle-SymbolicName":      "com.fasterxml.jackson.core.jackson-core",
+								"Bundle-Vendor":            "FasterXML",
+								"Bundle-Version":           "2.15.2",
+								"Created-By":               "Apache Maven Bundle Plugin 5.1.8",
+								"Export-Package":           "com.fasterxml.jackson.core;version...snip",
+								"Implementation-Title":     "Jackson-core",
+								"Implementation-Vendor":    "FasterXML",
+								"Implementation-Vendor-Id": "com.fasterxml.jackson.core",
+								"Implementation-Version":   "2.15.2",
+								"Import-Package":           "com.fasterxml.jackson.core;version=...snip",
+								"Manifest-Version":         "1.0",
+								"Multi-Release":            "true",
+								"Require-Capability":       `osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"`,
+								"Specification-Title":      "Jackson-core",
+								"Specification-Vendor":     "FasterXML",
+								"Specification-Version":    "2.15.2",
+								"Tool":                     "Bnd-6.3.1.202206071316",
+								"X-Compile-Source-JDK":     "1.8",
+								"X-Compile-Target-JDK":     "1.8",
+							},
+						},
+						// not under test
+						//ArchiveDigests: []file.Digest{{Algorithm: "sha1", Value: "d8bc1d9c428c96fe447e2c429fc4304d141024df"}},
+					},
+				},
+			},
+		},
+		{
+			name:        "duplicate jar regression - bad case (issue #2130)",
+			fixtureName: "com.fasterxml.jackson.core.jackson-core-2.15.2",
+			expectedPkgs: []pkg.Package{
+				{
+					Name:         "jackson-core",
+					Version:      "2.15.2",
+					Type:         pkg.JavaPkg,
+					Language:     pkg.Java,
+					MetadataType: pkg.JavaMetadataType,
+					PURL:         "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2",
+					Locations:    file.NewLocationSet(file.NewLocation("test-fixtures/jar-metadata/cache/com.fasterxml.jackson.core.jackson-core-2.15.2.jar")),
+					Licenses: pkg.NewLicenseSet(
+						pkg.NewLicensesFromLocation(
+							file.NewLocation("test-fixtures/jar-metadata/cache/com.fasterxml.jackson.core.jackson-core-2.15.2.jar"),
+							"https://www.apache.org/licenses/LICENSE-2.0.txt",
+						)...,
+					),
+					Metadata: pkg.JavaMetadata{
+						VirtualPath: "test-fixtures/jar-metadata/cache/com.fasterxml.jackson.core.jackson-core-2.15.2.jar",
+						Manifest: &pkg.JavaManifest{
+							Main: map[string]string{
+								"Build-Jdk-Spec":           "1.8",
+								"Bundle-Description":       "Core Jackson processing abstractions",
+								"Bundle-DocURL":            "https://github.com/FasterXML/jackson-core",
+								"Bundle-License":           "https://www.apache.org/licenses/LICENSE-2.0.txt",
+								"Bundle-ManifestVersion":   "2",
+								"Bundle-Name":              "Jackson-core",
+								"Bundle-SymbolicName":      "com.fasterxml.jackson.core.jackson-core",
+								"Bundle-Vendor":            "FasterXML",
+								"Bundle-Version":           "2.15.2",
+								"Created-By":               "Apache Maven Bundle Plugin 5.1.8",
+								"Export-Package":           "com.fasterxml.jackson.core;version...snip",
+								"Implementation-Title":     "Jackson-core",
+								"Implementation-Vendor":    "FasterXML",
+								"Implementation-Vendor-Id": "com.fasterxml.jackson.core",
+								"Implementation-Version":   "2.15.2",
+								"Import-Package":           "com.fasterxml.jackson.core;version=...snip",
+								"Manifest-Version":         "1.0",
+								"Multi-Release":            "true",
+								"Require-Capability":       `osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"`,
+								"Specification-Title":      "Jackson-core",
+								"Specification-Vendor":     "FasterXML",
+								"Specification-Version":    "2.15.2",
+								"Tool":                     "Bnd-6.3.1.202206071316",
+								"X-Compile-Source-JDK":     "1.8",
+								"X-Compile-Target-JDK":     "1.8",
+							},
+						},
+						// not under test
+						//ArchiveDigests: []file.Digest{{Algorithm: "sha1", Value: "abd3e329270fc54a2acaceb45420fd5710ecefd5"}},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pkgtest.NewCatalogTester().
+				FromFile(t, generateJavaMetadataJarFixture(t, tt.fixtureName)).
+				Expects(tt.expectedPkgs, tt.expectedRelationships).
+				WithCompareOptions(cmpopts.IgnoreFields(pkg.JavaMetadata{}, "ArchiveDigests")).
+				TestParser(t, parseJavaArchive)
+		})
+	}
+}
+
+func generateJavaMetadataJarFixture(t *testing.T, fixtureName string) string {
+	fixturePath := filepath.Join("test-fixtures/jar-metadata/cache/", fixtureName+".jar")
+	if _, err := os.Stat(fixturePath); !os.IsNotExist(err) {
+		// fixture already exists...
+		return fixturePath
+	}
+
+	makeTask := filepath.Join("cache", fixtureName+".jar")
+	t.Logf(color.Bold.Sprintf("Generating Fixture from 'make %s'", makeTask))
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		t.Errorf("unable to get cwd: %+v", err)
+	}
+
+	cmd := exec.Command("make", makeTask)
+	cmd.Dir = filepath.Join(cwd, "test-fixtures/jar-metadata")
+
+	run(t, cmd)
+
+	return fixturePath
+}
+
+func run(t testing.TB, cmd *exec.Cmd) {
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		t.Fatalf("could not get stderr: %+v", err)
+	}
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		t.Fatalf("could not get stdout: %+v", err)
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		t.Fatalf("failed to start cmd: %+v", err)
+	}
+
+	show := func(label string, reader io.ReadCloser) {
+		scanner := bufio.NewScanner(reader)
+		scanner.Split(bufio.ScanLines)
+		for scanner.Scan() {
+			t.Logf("%s: %s", label, scanner.Text())
+		}
+	}
+	go show("out", stdout)
+	go show("err", stderr)
+
+	if err := cmd.Wait(); err != nil {
+		if exiterr, ok := err.(*exec.ExitError); ok {
+			// The program has exited with an exit code != 0
+
+			// This works on both Unix and Windows. Although package
+			// syscall is generally platform dependent, WaitStatus is
+			// defined for both Unix and Windows and in both cases has
+			// an ExitStatus() method with the same signature.
+			if status, ok := exiterr.Sys().(syscall.WaitStatus); ok {
+				if status.ExitStatus() != 0 {
+					t.Fatalf("failed to generate fixture: rc=%d", status.ExitStatus())
+				}
+			}
+		} else {
+			t.Fatalf("unable to get generate fixture result: %+v", err)
+		}
+	}
+}
--- a/syft/pkg/cataloger/java/parse_java_manifest.go
+++ b/syft/pkg/cataloger/java/parse_java_manifest.go
@ -109,27 +109,71 @@ func parseJavaManifest(path string, reader io.Reader) (*pkg.JavaManifest, error)
 }

 func selectName(manifest *pkg.JavaManifest, filenameObj archiveFilename) string {
-	var name string
-	switch {
-	case filenameObj.name != "":
-		name = filenameObj.name
-	case manifest.Main["Name"] != "":
-		// Manifest original spec...
-		name = manifest.Main["Name"]
-	case manifest.Main["Bundle-Name"] != "":
-		// BND tooling...
-		name = manifest.Main["Bundle-Name"]
-	case manifest.Main["Short-Name"] != "":
-		// Jenkins...
-		name = manifest.Main["Short-Name"]
-	case manifest.Main["Extension-Name"] != "":
-		// Jenkins...
-		name = manifest.Main["Extension-Name"]
-	case manifest.Main["Implementation-Title"] != "":
-		// last ditch effort...
-		name = manifest.Main["Implementation-Title"]
+	// special case: from https://svn.apache.org/repos/asf/felix/releases/maven-bundle-plugin-1.2.0/doc/maven-bundle-plugin-bnd.html
+	// "<Bundle-SymbolicName> is assumed to be "${groupId}.${artifactId}"."
+	//
+	// documentation from https://felix.apache.org/documentation/subprojects/apache-felix-maven-bundle-plugin-bnd.html
+	// agrees this is the default behavior:
+	//
+	// - [1] if artifact.getFile is not null and the jar contains a OSGi Manifest with Bundle-SymbolicName property then that value is returned
+	//
+	// - [2] if groupId has only one section (no dots) and artifact.getFile is not null then the first package name with classes
+	//   is returned. eg. commons-logging:commons-logging -> org.apache.commons.logging
+	//
+	// - [3] if artifactId is equal to last section of groupId then groupId is returned. eg. org.apache.maven:maven -> org.apache.maven
+	//
+	// - [4] if artifactId starts with last section of groupId that portion is removed. eg. org.apache.maven:maven-core -> org.apache.maven.core
+	//   The computed symbolic name is also stored in the $(maven-symbolicname) property in case you want to add attributes or directives to it.
+	//
+	if manifest != nil {
+		if strings.Contains(manifest.Main["Created-By"], "Apache Maven Bundle Plugin") {
+			if v := manifest.Main["Bundle-SymbolicName"]; v != "" {
+				// the problem with this approach is that we don't have a strong indication of the artifactId
+				// not having a "." in it. However, by convention it is unlikely that an artifactId would have a ".".
+				fields := strings.Split(v, ".")
+
+				// grab the last field, this is the artifactId. Note: because of [3] we do not know if this value is
+				// correct. That is, a group id of "commons-logging" may have caused BND to swap out the reference to
+				// "org.apache.commons.logging", which means we'd interpret this as an artifact id of "logging",
+				// which is not correct.
+				// [correct]         https://mvnrepository.com/artifact/commons-logging/commons-logging
+				// [still incorrect] https://mvnrepository.com/artifact/org.apache.commons.logging/org.apache.commons.logging
+				return fields[len(fields)-1]
+			}
+		}
 	}
-	return name
+
+	// the filename tends to be the next-best reference for the package name
+	if filenameObj.name != "" {
+		if strings.Contains(filenameObj.name, ".") {
+			// special case: this *might* be a group id + artifact id. By convention artifact ids do not have "." in them.
+			fields := strings.Split(filenameObj.name, ".")
+			return fields[len(fields)-1]
+		}
+		return filenameObj.name
+	}
+
+	// remaining fields in the manifest is a bit of a free-for-all depending on the build tooling used and package maintainer preferences
+	if manifest != nil {
+		switch {
+		case manifest.Main["Name"] != "":
+			// Manifest original spec...
+			return manifest.Main["Name"]
+		case manifest.Main["Bundle-Name"] != "":
+			// BND tooling... TODO: this does not seem accurate (I don't see a reference in the BND tooling docs for this)
+			return manifest.Main["Bundle-Name"]
+		case manifest.Main["Short-Name"] != "":
+			// Jenkins...
+			return manifest.Main["Short-Name"]
+		case manifest.Main["Extension-Name"] != "":
+			// Jenkins...
+			return manifest.Main["Extension-Name"]
+		case manifest.Main["Implementation-Title"] != "":
+			// last ditch effort...
+			return manifest.Main["Implementation-Title"]
+		}
+	}
+	return ""
 }

 func selectVersion(manifest *pkg.JavaManifest, filenameObj archiveFilename) string {
--- a/syft/pkg/cataloger/java/parse_java_manifest_test.go
+++ b/syft/pkg/cataloger/java/parse_java_manifest_test.go
@ -160,6 +160,44 @@ func TestSelectName(t *testing.T) {
 			archive:  newJavaArchiveFilename("/something/omg.jar"),
 			expected: "omg",
 		},
+		{
+			desc: "Use the artifact ID baked by the Apache Maven Bundle Plugin",
+			manifest: pkg.JavaManifest{
+				Main: map[string]string{
+					"Created-By":           "Apache Maven Bundle Plugin",
+					"Bundle-SymbolicName":  "com.atlassian.gadgets.atlassian-gadgets-api",
+					"Name":                 "foo",
+					"Implementation-Title": "maven-wrapper",
+				},
+			},
+			archive:  newJavaArchiveFilename("/something/omg.jar"),
+			expected: "atlassian-gadgets-api",
+		},
+		{
+			// example: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-beans@5.3.26_1
+			desc: "Apache Maven Bundle Plugin might bake a version in the created-by field",
+			manifest: pkg.JavaManifest{
+				Main: map[string]string{
+					"Created-By":           "Apache Maven Bundle Plugin 5.1.6",
+					"Bundle-SymbolicName":  "com.atlassian.gadgets.atlassian-gadgets-api",
+					"Name":                 "foo",
+					"Implementation-Title": "maven-wrapper",
+				},
+			},
+			archive:  newJavaArchiveFilename("/something/omg.jar"),
+			expected: "atlassian-gadgets-api",
+		},
+		{
+			desc: "Filename looks like a groupid + artifact id",
+			manifest: pkg.JavaManifest{
+				Main: map[string]string{
+					"Name":                 "foo",
+					"Implementation-Title": "maven-wrapper",
+				},
+			},
+			archive:  newJavaArchiveFilename("/something/com.atlassian.gadgets.atlassian-gadgets-api.jar"),
+			expected: "atlassian-gadgets-api",
+		},
 	}

 	for _, test := range tests {
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/.gitignore
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/.gitignore
@ -0,0 +1 @@
+/cache
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/Makefile
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/Makefile
@ -0,0 +1,14 @@
+CACHE_DIR = cache
+CACHE_PATH = $(shell pwd)/cache
+
+JACKSON_CORE = jackson-core-2.15.2
+SBT_JACKSON_CORE = com.fasterxml.jackson.core.jackson-core-2.15.2
+
+$(CACHE_DIR):
+	mkdir -p $(CACHE_DIR)
+
+$(CACHE_DIR)/$(JACKSON_CORE).jar: $(CACHE_DIR)
+	cd $(JACKSON_CORE) && zip -r $(CACHE_PATH)/$(JACKSON_CORE).jar .
+
+$(CACHE_DIR)/$(SBT_JACKSON_CORE).jar: $(CACHE_DIR)
+	cd $(SBT_JACKSON_CORE) && zip -r $(CACHE_PATH)/$(SBT_JACKSON_CORE).jar .
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/README.md
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/README.md
@ -0,0 +1,5 @@
+# Jar-Metadata test fixtures
+
+Each directory is the name of a jar to be created (simply a zip) based on the contents of the directory.
+This prevents us from having to create real jars by hand or keep binaries in the repo. This also means we dont need the
+entire jar, only the necessary metadata for testing.
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/MANIFEST.MF
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/MANIFEST.MF
@ -0,0 +1,25 @@
+Manifest-Version: 1.0
+Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt
+Bundle-SymbolicName: com.fasterxml.jackson.core.jackson-core
+Implementation-Vendor-Id: com.fasterxml.jackson.core
+Specification-Title: Jackson-core
+Bundle-DocURL: https://github.com/FasterXML/jackson-core
+Import-Package: com.fasterxml.jackson.core;version=...snip
+Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"
+Export-Package: com.fasterxml.jackson.core;version...snip
+Bundle-Name: Jackson-core
+Multi-Release: true
+Build-Jdk-Spec: 1.8
+Bundle-Description: Core Jackson processing abstractions
+Implementation-Title: Jackson-core
+Implementation-Version: 2.15.2
+Bundle-ManifestVersion: 2
+Specification-Vendor: FasterXML
+Bundle-Vendor: FasterXML
+Tool: Bnd-6.3.1.202206071316
+Implementation-Vendor: FasterXML
+Bundle-Version: 2.15.2
+X-Compile-Target-JDK: 1.8
+X-Compile-Source-JDK: 1.8
+Created-By: Apache Maven Bundle Plugin 5.1.8
+Specification-Version: 2.15.2
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/com.fasterxml.jackson.core.jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
@ -0,0 +1,323 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <!-- This module was also published with a richer model, Gradle metadata,  -->
+  <!-- which should be used instead. Do not delete the following line which  -->
+  <!-- is to indicate to Gradle or any Gradle module metadata file consumer  -->
+  <!-- that they should prefer consuming it instead. -->
+  <!-- do_not_remove: published-with-gradle-metadata -->
+  <modelVersion>4.0.0</modelVersion> 
+  <parent>
+    <groupId>com.fasterxml.jackson</groupId>
+    <artifactId>jackson-base</artifactId>
+    <version>2.15.2</version>
+  </parent>
+  <groupId>com.fasterxml.jackson.core</groupId>
+  <artifactId>jackson-core</artifactId>
+  <name>Jackson-core</name>
+  <version>2.15.2</version>
+  <packaging>jar</packaging>
+  <description>Core Jackson processing abstractions (aka Streaming API), implementation for JSON</description>
+  <licenses>
+    <license>
+      <name>The Apache Software License, Version 2.0</name>
+      <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+  <inceptionYear>2008</inceptionYear>
+
+  <url>https://github.com/FasterXML/jackson-core</url>
+  <scm>
+    <connection>scm:git:git@github.com:FasterXML/jackson-core.git</connection>
+    <developerConnection>scm:git:git@github.com:FasterXML/jackson-core.git</developerConnection>
+    <url>https://github.com/FasterXML/jackson-core</url>
+    <tag>jackson-core-2.15.2</tag>
+  </scm>
+
+  <properties>
+    <!-- 03-May-2022: Change Java compatibility for Jackson-Core 2.14 from Java6 to Java8,
+       still use Moditect to get JDK9+ module info support; need newer bundle plugin as well
+       (can just defaults from `jackson-parent`)
+      -->
+
+    <!-- 16-Nov-2022, tatu: [core#838] Verify Android SDK compatibility.
+         Baseline compatibility:
+         * Jackson 2.13 compatible with Android SDK 19 and up
+         * Jackson 2.14 compatible with Android SDK 26 and up
+         * Jackson 2.15 compatible with Android SDK 26 and up
+      -->
+    <version.android.sdk>26</version.android.sdk>
+    <version.android.sdk.signature>0.5.1</version.android.sdk.signature>
+
+    <osgi.export>com.fasterxml.jackson.core;version=${project.version},
+com.fasterxml.jackson.core.*;version=${project.version}
+    </osgi.export>
+    <osgi.import>!ch.randelshofer.fastdoubleparser, *</osgi.import>
+
+    <!-- Generate PackageVersion.java into this directory. -->
+    <packageVersion.dir>com/fasterxml/jackson/core/json</packageVersion.dir>
+    <packageVersion.package>${project.groupId}.json</packageVersion.package>
+
+    <!-- for Reproducible Builds -->
+    <project.build.outputTimestamp>2023-05-30T22:15:40Z</project.build.outputTimestamp>
+  </properties>
+
+  <!-- Alas, need to include snapshot reference since otherwise can not find
+       snapshot of parent... -->
+  <repositories>
+    <repository>
+      <id>sonatype-nexus-snapshots</id>
+      <name>Sonatype Nexus Snapshots</name>
+      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+      <releases><enabled>false</enabled></releases>
+      <snapshots><enabled>true</enabled></snapshots>
+    </repository>
+  </repositories>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.junit</groupId>
+        <artifactId>junit-bom</artifactId>
+        <version>5.9.2</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <build>
+
+    <plugins>
+
+      <!-- 26-Aug-2019, tatu: JaCoCo for code coverage -->
+      <plugin>
+	<groupId>org.jacoco</groupId>
+	<artifactId>jacoco-maven-plugin</artifactId>
+	<executions>
+          <execution>
+            <goals>
+              <goal>prepare-agent</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>report</id>
+            <phase>test</phase>
+            <goals>
+              <goal>report</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <!-- Important: enable enforcer plug-in: -->
+      <plugin>
+        <artifactId>maven-enforcer-plugin</artifactId>
+	<executions> <!-- or?  combine.children="merge"> -->
+          <execution>
+            <id>enforce-properties</id>
+	        <phase>validate</phase>
+            <goals><goal>enforce</goal></goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-site-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>${version.plugin.surefire}</version>
+        <configuration>
+          <redirectTestOutputToFile>${surefire.redirectTestOutputToFile}</redirectTestOutputToFile>
+          <excludes>
+            <exclude>**/failing/**/*.java</exclude>
+          </excludes>
+<!-- 13-Apr-2018, tatu: for debugging [core#400]
+          <systemPropertyVariables>
+<com.fasterxml.jackson.core.util.BufferRecyclers.trackReusableBuffers>true</com.fasterxml.jackson.core.util.BufferRecyclers.trackReusableBuffers>
+          </systemPropertyVariables>
+-->
+        </configuration>
+      </plugin>
+      <!-- settings are fine, but needed to trigger execution! -->
+      <plugin>
+        <groupId>com.google.code.maven-replacer-plugin</groupId>
+        <artifactId>replacer</artifactId>
+      </plugin>
+
+      <!-- 04-Mar-2019, tatu: Add rudimentary JDK9+ module info. To build with JDK 8
+             will have to use `moduleInfoFile` as anything else requires JDK 9+
+        -->
+      <plugin>
+        <groupId>org.moditect</groupId>
+        <artifactId>moditect-maven-plugin</artifactId>
+      </plugin>
+      <!-- 03-Nov-2020, tatu: Add LICENSE from main level -->
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>build-helper-maven-plugin</artifactId>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-shade-plugin</artifactId>
+        <configuration>
+          <promoteTransitiveDependencies>true</promoteTransitiveDependencies>
+          <createDependencyReducedPom>true</createDependencyReducedPom>
+          <minimizeJar>true</minimizeJar>
+        </configuration>
+        <executions>
+          <execution>
+            <id>shade-jackson-core</id>
+            <phase>package</phase>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <configuration>
+              <filters>
+                <filter>
+                  <artifact>ch.randelshofer:fastdoubleparser</artifact>
+                  <excludes>
+                    <exclude>META-INF/versions/**/module-info.*</exclude>
+                  </excludes>
+                </filter>
+              </filters>
+              <relocations>
+                <relocation>
+                  <pattern>ch/randelshofer/fastdoubleparser</pattern>
+                  <shadedPattern>com/fasterxml/jackson/core/io/doubleparser</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/LICENSE</pattern>
+                  <shadedPattern>META-INF/FastDoubleParser-LICENSE</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/NOTICE</pattern>
+                  <shadedPattern>META-INF/FastDoubleParser-NOTICE</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/jackson-core-LICENSE</pattern>
+                  <shadedPattern>META-INF/LICENSE</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/jackson-core-NOTICE</pattern>
+                  <shadedPattern>META-INF/NOTICE</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/versions/11/ch/randelshofer/fastdoubleparser</pattern>
+                  <shadedPattern>META-INF/versions/11/com/fasterxml/jackson/core/io/doubleparser</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/versions/17/ch/randelshofer/fastdoubleparser</pattern>
+                  <shadedPattern>META-INF/versions/17/com/fasterxml/jackson/core/io/doubleparser</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/versions/19/ch/randelshofer/fastdoubleparser</pattern>
+                  <shadedPattern>META-INF/versions/19/com/fasterxml/jackson/core/io/doubleparser</shadedPattern>
+                </relocation>
+              </relocations>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>de.jjohannes</groupId>
+        <artifactId>gradle-module-metadata-maven-plugin</artifactId>
+        <!-- 27-Apr-2023, tatu: [core#999]: Need to exclude shaded FDP
+           dependency from GMM
+          -->
+        <configuration>
+          <removedDependencies>
+            <dependency>
+              <groupId>ch.randelshofer</groupId>
+              <artifactId>fastdoubleparser</artifactId>
+            </dependency>
+          </removedDependencies>
+        </configuration>
+      </plugin>
+      
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <archive>
+            <manifestEntries>
+              <Multi-Release>true</Multi-Release>
+            </manifestEntries>
+          </archive>
+        </configuration>
+      </plugin>
+
+      <!-- 23-Mar-2023, tatu: [core#965] Need to put back Gradle module metadata marker -->
+      <plugin>
+        <groupId>io.github.floverfelt</groupId>
+        <artifactId>find-and-replace-maven-plugin</artifactId>
+        <version>1.1.0</version>
+        <executions>
+          <execution>
+            <id>exec</id>
+            <phase>package</phase>
+            <goals>
+              <goal>find-and-replace</goal>
+            </goals>
+            <configuration>
+              <replacementType>file-contents</replacementType>
+              <baseDir>${basedir}</baseDir>
+              <findRegex><![CDATA[<modelVersion>4.0.0</modelVersion>]]></findRegex>
+              <fileMask>dependency-reduced-pom.xml</fileMask>
+              <replaceValue><![CDATA[  <!-- This module was also published with a richer model, Gradle metadata,  -->
+  <!-- which should be used instead. Do not delete the following line which  -->
+  <!-- is to indicate to Gradle or any Gradle module metadata file consumer  -->
+  <!-- that they should prefer consuming it instead. -->
+  <!-- do_not_remove: published-with-gradle-metadata -->
+  <modelVersion>4.0.0</modelVersion>]]></replaceValue>
+              <recursive>false</recursive>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <!-- 16-Nov-2022, tatu: [core#838] add verification of compatibility
+           wrt Android SDK versions using AnimalSniffer with "gummy bears" signatures.
+           To be run from CI, but manually with:
+              mvn clean package animal-sniffer:check
+        -->
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>animal-sniffer-maven-plugin</artifactId>
+        <version>1.22</version>
+        <configuration>
+          <signature>
+            <groupId>com.toasttab.android</groupId>
+            <artifactId>gummy-bears-api-${version.android.sdk}</artifactId>
+            <version>${version.android.sdk.signature}</version>
+          </signature>
+        </configuration>
+      </plugin>
+
+    </plugins>
+  </build>
+
+  <dependencies>
+    <dependency>
+      <groupId>ch.randelshofer</groupId>
+      <artifactId>fastdoubleparser</artifactId>
+      <version>0.9.0</version>
+    </dependency>
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>org.junit.vintage</groupId>
+      <artifactId>junit-vintage-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+</project>
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/MANIFEST.MF
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/MANIFEST.MF
@ -0,0 +1,25 @@
+Manifest-Version: 1.0
+Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt
+Bundle-SymbolicName: com.fasterxml.jackson.core.jackson-core
+Implementation-Vendor-Id: com.fasterxml.jackson.core
+Specification-Title: Jackson-core
+Bundle-DocURL: https://github.com/FasterXML/jackson-core
+Import-Package: com.fasterxml.jackson.core;version=...snip
+Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"
+Export-Package: com.fasterxml.jackson.core;version...snip
+Bundle-Name: Jackson-core
+Multi-Release: true
+Build-Jdk-Spec: 1.8
+Bundle-Description: Core Jackson processing abstractions
+Implementation-Title: Jackson-core
+Implementation-Version: 2.15.2
+Bundle-ManifestVersion: 2
+Specification-Vendor: FasterXML
+Bundle-Vendor: FasterXML
+Tool: Bnd-6.3.1.202206071316
+Implementation-Vendor: FasterXML
+Bundle-Version: 2.15.2
+X-Compile-Target-JDK: 1.8
+X-Compile-Source-JDK: 1.8
+Created-By: Apache Maven Bundle Plugin 5.1.8
+Specification-Version: 2.15.2
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/jackson-core-2.15.2/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
@ -0,0 +1,323 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <!-- This module was also published with a richer model, Gradle metadata,  -->
+  <!-- which should be used instead. Do not delete the following line which  -->
+  <!-- is to indicate to Gradle or any Gradle module metadata file consumer  -->
+  <!-- that they should prefer consuming it instead. -->
+  <!-- do_not_remove: published-with-gradle-metadata -->
+  <modelVersion>4.0.0</modelVersion> 
+  <parent>
+    <groupId>com.fasterxml.jackson</groupId>
+    <artifactId>jackson-base</artifactId>
+    <version>2.15.2</version>
+  </parent>
+  <groupId>com.fasterxml.jackson.core</groupId>
+  <artifactId>jackson-core</artifactId>
+  <name>Jackson-core</name>
+  <version>2.15.2</version>
+  <packaging>jar</packaging>
+  <description>Core Jackson processing abstractions (aka Streaming API), implementation for JSON</description>
+  <licenses>
+    <license>
+      <name>The Apache Software License, Version 2.0</name>
+      <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+  <inceptionYear>2008</inceptionYear>
+
+  <url>https://github.com/FasterXML/jackson-core</url>
+  <scm>
+    <connection>scm:git:git@github.com:FasterXML/jackson-core.git</connection>
+    <developerConnection>scm:git:git@github.com:FasterXML/jackson-core.git</developerConnection>
+    <url>https://github.com/FasterXML/jackson-core</url>
+    <tag>jackson-core-2.15.2</tag>
+  </scm>
+
+  <properties>
+    <!-- 03-May-2022: Change Java compatibility for Jackson-Core 2.14 from Java6 to Java8,
+       still use Moditect to get JDK9+ module info support; need newer bundle plugin as well
+       (can just defaults from `jackson-parent`)
+      -->
+
+    <!-- 16-Nov-2022, tatu: [core#838] Verify Android SDK compatibility.
+         Baseline compatibility:
+         * Jackson 2.13 compatible with Android SDK 19 and up
+         * Jackson 2.14 compatible with Android SDK 26 and up
+         * Jackson 2.15 compatible with Android SDK 26 and up
+      -->
+    <version.android.sdk>26</version.android.sdk>
+    <version.android.sdk.signature>0.5.1</version.android.sdk.signature>
+
+    <osgi.export>com.fasterxml.jackson.core;version=${project.version},
+com.fasterxml.jackson.core.*;version=${project.version}
+    </osgi.export>
+    <osgi.import>!ch.randelshofer.fastdoubleparser, *</osgi.import>
+
+    <!-- Generate PackageVersion.java into this directory. -->
+    <packageVersion.dir>com/fasterxml/jackson/core/json</packageVersion.dir>
+    <packageVersion.package>${project.groupId}.json</packageVersion.package>
+
+    <!-- for Reproducible Builds -->
+    <project.build.outputTimestamp>2023-05-30T22:15:40Z</project.build.outputTimestamp>
+  </properties>
+
+  <!-- Alas, need to include snapshot reference since otherwise can not find
+       snapshot of parent... -->
+  <repositories>
+    <repository>
+      <id>sonatype-nexus-snapshots</id>
+      <name>Sonatype Nexus Snapshots</name>
+      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+      <releases><enabled>false</enabled></releases>
+      <snapshots><enabled>true</enabled></snapshots>
+    </repository>
+  </repositories>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.junit</groupId>
+        <artifactId>junit-bom</artifactId>
+        <version>5.9.2</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <build>
+
+    <plugins>
+
+      <!-- 26-Aug-2019, tatu: JaCoCo for code coverage -->
+      <plugin>
+	<groupId>org.jacoco</groupId>
+	<artifactId>jacoco-maven-plugin</artifactId>
+	<executions>
+          <execution>
+            <goals>
+              <goal>prepare-agent</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>report</id>
+            <phase>test</phase>
+            <goals>
+              <goal>report</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <!-- Important: enable enforcer plug-in: -->
+      <plugin>
+        <artifactId>maven-enforcer-plugin</artifactId>
+	<executions> <!-- or?  combine.children="merge"> -->
+          <execution>
+            <id>enforce-properties</id>
+	        <phase>validate</phase>
+            <goals><goal>enforce</goal></goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-site-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>${version.plugin.surefire}</version>
+        <configuration>
+          <redirectTestOutputToFile>${surefire.redirectTestOutputToFile}</redirectTestOutputToFile>
+          <excludes>
+            <exclude>**/failing/**/*.java</exclude>
+          </excludes>
+<!-- 13-Apr-2018, tatu: for debugging [core#400]
+          <systemPropertyVariables>
+<com.fasterxml.jackson.core.util.BufferRecyclers.trackReusableBuffers>true</com.fasterxml.jackson.core.util.BufferRecyclers.trackReusableBuffers>
+          </systemPropertyVariables>
+-->
+        </configuration>
+      </plugin>
+      <!-- settings are fine, but needed to trigger execution! -->
+      <plugin>
+        <groupId>com.google.code.maven-replacer-plugin</groupId>
+        <artifactId>replacer</artifactId>
+      </plugin>
+
+      <!-- 04-Mar-2019, tatu: Add rudimentary JDK9+ module info. To build with JDK 8
+             will have to use `moduleInfoFile` as anything else requires JDK 9+
+        -->
+      <plugin>
+        <groupId>org.moditect</groupId>
+        <artifactId>moditect-maven-plugin</artifactId>
+      </plugin>
+      <!-- 03-Nov-2020, tatu: Add LICENSE from main level -->
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>build-helper-maven-plugin</artifactId>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-shade-plugin</artifactId>
+        <configuration>
+          <promoteTransitiveDependencies>true</promoteTransitiveDependencies>
+          <createDependencyReducedPom>true</createDependencyReducedPom>
+          <minimizeJar>true</minimizeJar>
+        </configuration>
+        <executions>
+          <execution>
+            <id>shade-jackson-core</id>
+            <phase>package</phase>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <configuration>
+              <filters>
+                <filter>
+                  <artifact>ch.randelshofer:fastdoubleparser</artifact>
+                  <excludes>
+                    <exclude>META-INF/versions/**/module-info.*</exclude>
+                  </excludes>
+                </filter>
+              </filters>
+              <relocations>
+                <relocation>
+                  <pattern>ch/randelshofer/fastdoubleparser</pattern>
+                  <shadedPattern>com/fasterxml/jackson/core/io/doubleparser</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/LICENSE</pattern>
+                  <shadedPattern>META-INF/FastDoubleParser-LICENSE</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/NOTICE</pattern>
+                  <shadedPattern>META-INF/FastDoubleParser-NOTICE</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/jackson-core-LICENSE</pattern>
+                  <shadedPattern>META-INF/LICENSE</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/jackson-core-NOTICE</pattern>
+                  <shadedPattern>META-INF/NOTICE</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/versions/11/ch/randelshofer/fastdoubleparser</pattern>
+                  <shadedPattern>META-INF/versions/11/com/fasterxml/jackson/core/io/doubleparser</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/versions/17/ch/randelshofer/fastdoubleparser</pattern>
+                  <shadedPattern>META-INF/versions/17/com/fasterxml/jackson/core/io/doubleparser</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>META-INF/versions/19/ch/randelshofer/fastdoubleparser</pattern>
+                  <shadedPattern>META-INF/versions/19/com/fasterxml/jackson/core/io/doubleparser</shadedPattern>
+                </relocation>
+              </relocations>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>de.jjohannes</groupId>
+        <artifactId>gradle-module-metadata-maven-plugin</artifactId>
+        <!-- 27-Apr-2023, tatu: [core#999]: Need to exclude shaded FDP
+           dependency from GMM
+          -->
+        <configuration>
+          <removedDependencies>
+            <dependency>
+              <groupId>ch.randelshofer</groupId>
+              <artifactId>fastdoubleparser</artifactId>
+            </dependency>
+          </removedDependencies>
+        </configuration>
+      </plugin>
+      
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <archive>
+            <manifestEntries>
+              <Multi-Release>true</Multi-Release>
+            </manifestEntries>
+          </archive>
+        </configuration>
+      </plugin>
+
+      <!-- 23-Mar-2023, tatu: [core#965] Need to put back Gradle module metadata marker -->
+      <plugin>
+        <groupId>io.github.floverfelt</groupId>
+        <artifactId>find-and-replace-maven-plugin</artifactId>
+        <version>1.1.0</version>
+        <executions>
+          <execution>
+            <id>exec</id>
+            <phase>package</phase>
+            <goals>
+              <goal>find-and-replace</goal>
+            </goals>
+            <configuration>
+              <replacementType>file-contents</replacementType>
+              <baseDir>${basedir}</baseDir>
+              <findRegex><![CDATA[<modelVersion>4.0.0</modelVersion>]]></findRegex>
+              <fileMask>dependency-reduced-pom.xml</fileMask>
+              <replaceValue><![CDATA[  <!-- This module was also published with a richer model, Gradle metadata,  -->
+  <!-- which should be used instead. Do not delete the following line which  -->
+  <!-- is to indicate to Gradle or any Gradle module metadata file consumer  -->
+  <!-- that they should prefer consuming it instead. -->
+  <!-- do_not_remove: published-with-gradle-metadata -->
+  <modelVersion>4.0.0</modelVersion>]]></replaceValue>
+              <recursive>false</recursive>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <!-- 16-Nov-2022, tatu: [core#838] add verification of compatibility
+           wrt Android SDK versions using AnimalSniffer with "gummy bears" signatures.
+           To be run from CI, but manually with:
+              mvn clean package animal-sniffer:check
+        -->
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>animal-sniffer-maven-plugin</artifactId>
+        <version>1.22</version>
+        <configuration>
+          <signature>
+            <groupId>com.toasttab.android</groupId>
+            <artifactId>gummy-bears-api-${version.android.sdk}</artifactId>
+            <version>${version.android.sdk.signature}</version>
+          </signature>
+        </configuration>
+      </plugin>
+
+    </plugins>
+  </build>
+
+  <dependencies>
+    <dependency>
+      <groupId>ch.randelshofer</groupId>
+      <artifactId>fastdoubleparser</artifactId>
+      <version>0.9.0</version>
+    </dependency>
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>org.junit.vintage</groupId>
+      <artifactId>junit-vintage-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+</project>