WIP: possible improvement to group ID guessing

Signed-off-by: Will Murphy <will.murphy@anchore.com>

syft/pkg/cataloger/common/cpe/java.go

@@ -255,7 +255,7 @@ func groupIDsFromJavaManifest(pkgName string, manifest *pkg.JavaManifest) []stri
 	}
 
 	// try the common manifest fields first for a set of candidates
-	groupIDs := GetManifestFieldGroupIDs(manifest, PrimaryJavaManifestGroupIDFields)
+	groupIDs := GetManifestFieldGroupIDs(manifest, PrimaryJavaManifestGroupIDFields, pkgName)
 
 	if len(groupIDs) != 0 {
 		return groupIDs
@@ -266,21 +266,53 @@ func groupIDsFromJavaManifest(pkgName string, manifest *pkg.JavaManifest) []stri
 	// for more info see pkg:maven/commons-io/commons-io@2.8.0 within cloudbees/cloudbees-core-mm:2.263.4.2
 	// at /usr/share/jenkins/jenkins.war:WEB-INF/plugins/analysis-model-api.hpi:WEB-INF/lib/commons-io-2.8.0.jar
 	// as well as the ant package from cloudbees/cloudbees-core-mm:2.277.2.4-ra.
-	return GetManifestFieldGroupIDs(manifest, SecondaryJavaManifestGroupIDFields)
+	return GetManifestFieldGroupIDs(manifest, SecondaryJavaManifestGroupIDFields, pkgName)
 }
 
-func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string) (groupIDs []string) {
+func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string, packageName string) (groupIDs []string) {
 	if manifest == nil {
 		return nil
 	}
+	var sectionNames []string
+	for section := range manifest.NamedSections {
+		sectionNames = append(sectionNames, section)
+	}
+	// create prioritized list of section names
+	// prefer named sections that have the fields we want
+	sort.Slice(sectionNames, func(i, j int) bool {
+		iName := sectionNames[i]
+		jName := sectionNames[j]
+		if strings.Contains(iName, packageName) && !strings.Contains(jName, packageName) {
+			return true
+		}
+		if strings.Contains(jName, packageName) && !strings.Contains(iName, packageName) {
+			return false
+		}
+		iSec := manifest.NamedSections[sectionNames[i]]
+		jSec := manifest.NamedSections[sectionNames[j]]
+		for _, name := range fields {
+			_, iSectionHasField := iSec[name]
+			_, jSectionHasField := jSec[name]
+			if iSectionHasField && !jSectionHasField {
+				return true
+			}
+			if jSectionHasField && !iSectionHasField {
+				return false
+			}
+		}
+		return sectionNames[i] < sectionNames[j]
+	})
 
 	for _, name := range fields {
 		if value, exists := manifest.Main[name]; exists {
 			if startsWithTopLevelDomain(value) {
 				groupIDs = append(groupIDs, cleanGroupID(value))
+				//return []string{value}
 			}
 		}
-		for _, section := range manifest.NamedSections {
+		// iterating map is non-deterministic
+		for _, sName := range sectionNames {
+			section := manifest.NamedSections[sName]
 			if value, exists := section[name]; exists {
 				if startsWithTopLevelDomain(value) {
 					groupIDs = append(groupIDs, cleanGroupID(value))
@@ -288,7 +320,8 @@ func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string) (grou
 			}
 		}
 	}
-	sort.Strings(groupIDs)
+	// Workaround to get rid of
+	//sort.Strings(groupIDs)
 
 	return groupIDs
 }

syft/pkg/cataloger/java/package_url.go

@@ -45,7 +45,7 @@ func groupIDFromJavaMetadata(pkgName string, metadata pkg.JavaMetadata) (groupID
 		return groupID
 	}
 
-	if groupID = groupIDFromJavaManifest(metadata.Manifest); groupID != "" {
+	if groupID = groupIDFromJavaManifest(metadata.Manifest, pkgName); groupID != "" {
 		return groupID
 	}
 
@@ -59,18 +59,18 @@ func groupIDFromKnownPackageList(pkgName string) (groupID string) {
 	return groupID
 }
 
-func groupIDFromJavaManifest(manifest *pkg.JavaManifest) (groupID string) {
+func groupIDFromJavaManifest(manifest *pkg.JavaManifest, pkgName string) (groupID string) {
 	if manifest == nil {
 		return groupID
 	}
 
-	groupIDS := cpe.GetManifestFieldGroupIDs(manifest, cpe.PrimaryJavaManifestGroupIDFields)
+	groupIDS := cpe.GetManifestFieldGroupIDs(manifest, cpe.PrimaryJavaManifestGroupIDFields, pkgName)
 	// assumes that primaryJavaManifestNameFields are ordered by priority
 	if len(groupIDS) != 0 {
 		return groupIDS[0]
 	}
 
-	groupIDS = cpe.GetManifestFieldGroupIDs(manifest, cpe.SecondaryJavaManifestGroupIDFields)
+	groupIDS = cpe.GetManifestFieldGroupIDs(manifest, cpe.SecondaryJavaManifestGroupIDFields, pkgName)
 
 	if len(groupIDS) != 0 {
 		return groupIDS[0]

test/integration/java_purl_test.go

@@ -94,6 +94,7 @@ var expectedPURLs = map[string]string{
 	"guava@r06":                                       "pkg:maven/com.google.guava/guava@r06",
 	"httpclient@4.1.1":                                "pkg:maven/org.apache.httpcomponents/httpclient@4.1.1",
 	"httpcore@4.1":                                    "pkg:maven/org.apache.httpcomponents/httpcore@4.1",
+	// TODO: are there duplicate hudson-cli packages?
 	"hudson-cli@":                                   "pkg:maven/hudson-cli/hudson-cli",
 	"hudson-core@1.390":                             "pkg:maven/org.jvnet.hudson.main/hudson-core@1.390",
 	"hudson-war@1.390":                              "pkg:maven/org.jvnet.hudson.main/hudson-war@1.390",
@@ -103,6 +104,7 @@ var expectedPURLs = map[string]string{
 	"jcaptcha-all@1.0-RC6":                          "pkg:maven/jcaptcha-all/jcaptcha-all@1.0-RC6",
 	"jcifs@1.3.14-kohsuke-1":                        "pkg:maven/org.samba.jcifs/jcifs@1.3.14-kohsuke-1",
 	"jcommon@1.0.12":                                "pkg:maven/jfree/jcommon@1.0.12",
+	"jdom@1.1":                                      "pkg:maven/org.jdom/jdom@1.1",
 	"jfreechart@1.0.9":                              "pkg:maven/jfreechart/jfreechart@1.0.9",
 	"jinterop-proxy@1.1":                            "pkg:maven/org.kohsuke.jinterop/jinterop-proxy@1.1",
 	"jinterop-wmi@1.0":                              "pkg:maven/org.jvnet.hudson/jinterop-wmi@1.0",

test/integration/test-fixtures/image-test-java-purls/Dockerfile

@@ -1 +1,2 @@
 FROM anchore/test_images@sha256:10008791acbc5866de04108746a02a0c4029ce3a4400a9b3dad45d7f2245f9da
+RUN wget https://repo1.maven.org/maven2/org/jdom/jdom/1.1/jdom-1.1.jar