oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

WIP: possible improvement to group ID guessing

Browse Source 
Signed-off-by: Will Murphy <will.murphy@anchore.com>
This commit is contained in:
Will Murphy 2023-09-27 17:24:08 -04:00
parent 44e5480238
commit 1217ed2307
4 changed files with 145 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
syft/pkg/cataloger/common/cpe/java.go
View File

@ -255,7 +255,7 @@ func groupIDsFromJavaManifest(pkgName string, manifest *pkg.JavaManifest) []stri
}
// try the common manifest fields first for a set of candidates
groupIDs := GetManifestFieldGroupIDs(manifest, PrimaryJavaManifestGroupIDFields)
groupIDs := GetManifestFieldGroupIDs(manifest, PrimaryJavaManifestGroupIDFields, pkgName)
if len(groupIDs) != 0 {
return groupIDs
@ -266,21 +266,53 @@ func groupIDsFromJavaManifest(pkgName string, manifest *pkg.JavaManifest) []stri
// for more info see pkg:maven/commons-io/commons-io@2.8.0 within cloudbees/cloudbees-core-mm:2.263.4.2
// at /usr/share/jenkins/jenkins.war:WEB-INF/plugins/analysis-model-api.hpi:WEB-INF/lib/commons-io-2.8.0.jar
// as well as the ant package from cloudbees/cloudbees-core-mm:2.277.2.4-ra.
return GetManifestFieldGroupIDs(manifest, SecondaryJavaManifestGroupIDFields)
return GetManifestFieldGroupIDs(manifest, SecondaryJavaManifestGroupIDFields, pkgName)
}
func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string) (groupIDs []string) {
func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string, packageName string) (groupIDs []string) {
if manifest == nil {
return nil
}
var sectionNames []string
for section := range manifest.NamedSections {
sectionNames = append(sectionNames, section)
}
// create prioritized list of section names
// prefer named sections that have the fields we want
sort.Slice(sectionNames, func(i, j int) bool {
iName := sectionNames[i]
jName := sectionNames[j]
if strings.Contains(iName, packageName) && !strings.Contains(jName, packageName) {
return true
}
if strings.Contains(jName, packageName) && !strings.Contains(iName, packageName) {
return false
}
iSec := manifest.NamedSections[sectionNames[i]]
jSec := manifest.NamedSections[sectionNames[j]]
for _, name := range fields {
_, iSectionHasField := iSec[name]
_, jSectionHasField := jSec[name]
if iSectionHasField && !jSectionHasField {
return true
}
if jSectionHasField && !iSectionHasField {
return false
}
}
return sectionNames[i] < sectionNames[j]
})
for _, name := range fields {
if value, exists := manifest.Main[name]; exists {
if startsWithTopLevelDomain(value) {
groupIDs = append(groupIDs, cleanGroupID(value))
//return []string{value}
}
}
for _, section := range manifest.NamedSections {
// iterating map is non-deterministic
for _, sName := range sectionNames {
section := manifest.NamedSections[sName]
if value, exists := section[name]; exists {
if startsWithTopLevelDomain(value) {
groupIDs = append(groupIDs, cleanGroupID(value))
@ -288,7 +320,8 @@ func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string) (grou
}
}
}
sort.Strings(groupIDs)
// Workaround to get rid of
//sort.Strings(groupIDs)
return groupIDs
}

8
syft/pkg/cataloger/java/package_url.go
View File

@ -45,7 +45,7 @@ func groupIDFromJavaMetadata(pkgName string, metadata pkg.JavaMetadata) (groupID
return groupID
}
if groupID = groupIDFromJavaManifest(metadata.Manifest); groupID != "" {
if groupID = groupIDFromJavaManifest(metadata.Manifest, pkgName); groupID != "" {
return groupID
}
@ -59,18 +59,18 @@ func groupIDFromKnownPackageList(pkgName string) (groupID string) {
return groupID
}
func groupIDFromJavaManifest(manifest *pkg.JavaManifest) (groupID string) {
func groupIDFromJavaManifest(manifest *pkg.JavaManifest, pkgName string) (groupID string) {
if manifest == nil {
return groupID
}
groupIDS := cpe.GetManifestFieldGroupIDs(manifest, cpe.PrimaryJavaManifestGroupIDFields)
groupIDS := cpe.GetManifestFieldGroupIDs(manifest, cpe.PrimaryJavaManifestGroupIDFields, pkgName)
// assumes that primaryJavaManifestNameFields are ordered by priority
if len(groupIDS) != 0 {
return groupIDS[0]
}
groupIDS = cpe.GetManifestFieldGroupIDs(manifest, cpe.SecondaryJavaManifestGroupIDFields)
groupIDS = cpe.GetManifestFieldGroupIDs(manifest, cpe.SecondaryJavaManifestGroupIDFields, pkgName)
if len(groupIDS) != 0 {
return groupIDS[0]

2
test/integration/java_purl_test.go
View File

@ -94,6 +94,7 @@ var expectedPURLs = map[string]string{
"guava@r06": "pkg:maven/com.google.guava/guava@r06",
"httpclient@4.1.1": "pkg:maven/org.apache.httpcomponents/httpclient@4.1.1",
"httpcore@4.1": "pkg:maven/org.apache.httpcomponents/httpcore@4.1",
// TODO: are there duplicate hudson-cli packages?
"hudson-cli@": "pkg:maven/hudson-cli/hudson-cli",
"hudson-core@1.390": "pkg:maven/org.jvnet.hudson.main/hudson-core@1.390",
"hudson-war@1.390": "pkg:maven/org.jvnet.hudson.main/hudson-war@1.390",
@ -103,6 +104,7 @@ var expectedPURLs = map[string]string{
"jcaptcha-all@1.0-RC6": "pkg:maven/jcaptcha-all/jcaptcha-all@1.0-RC6",
"jcifs@1.3.14-kohsuke-1": "pkg:maven/org.samba.jcifs/jcifs@1.3.14-kohsuke-1",
"jcommon@1.0.12": "pkg:maven/jfree/jcommon@1.0.12",
"jdom@1.1": "pkg:maven/org.jdom/jdom@1.1",
"jfreechart@1.0.9": "pkg:maven/jfreechart/jfreechart@1.0.9",
"jinterop-proxy@1.1": "pkg:maven/org.kohsuke.jinterop/jinterop-proxy@1.1",
"jinterop-wmi@1.0": "pkg:maven/org.jvnet.hudson/jinterop-wmi@1.0",

1
test/integration/test-fixtures/image-test-java-purls/Dockerfile
View File

@ -1 +1,2 @@
FROM anchore/test_images@sha256:10008791acbc5866de04108746a02a0c4029ce3a4400a9b3dad45d7f2245f9da
RUN wget https://repo1.maven.org/maven2/org/jdom/jdom/1.1/jdom-1.1.jar