fix: improve determinism in java archive identification (#3085)

Signed-off-by: Keith Zantow <kzantow@gmail.com>
2025-11-17 16:33:21 +01:00 · 2024-07-30 12:02:52 -04:00 · 2024-07-30 12:02:52 -04:00 · a4b5dcd0df
commit a4b5dcd0df
parent 06526e2931
11 changed files with 85 additions and 2 deletions
--- a/go.mod
+++ b/go.mod
@ -90,6 +90,7 @@ require (
 	github.com/BurntSushi/toml v1.4.0
 	github.com/adrg/xdg v0.5.0
 	github.com/magiconair/properties v1.8.7
 	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678
 )
 require (
@ -230,7 +231,6 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/crypto v0.25.0 // indirect
 	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
 	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/term v0.22.0 // indirect
--- a/syft/pkg/cataloger/java/archive_parser.go
+++ b/syft/pkg/cataloger/java/archive_parser.go
@ -6,8 +6,11 @@ import (
 	"fmt"
 	"os"
 	"path"
 	"slices"
 	"strings"
 	"golang.org/x/exp/maps"
 	intFile "github.com/anchore/syft/internal/file"
 	"github.com/anchore/syft/internal/licenses"
 	"github.com/anchore/syft/internal/log"
@ -298,7 +301,10 @@ func (j *archiveParser) guessMainPackageNameAndVersionFromPomInfo(ctx context.Co
 	properties, _ := pomPropertiesByParentPath(j.archivePath, j.location, pomPropertyMatches)
 	projects, _ := pomProjectByParentPath(j.archivePath, j.location, pomMatches)
-	for parentPath, propertiesObj := range properties {
+	parentPaths := maps.Keys(properties)
 	slices.Sort(parentPaths)
 	for _, parentPath := range parentPaths {
 		propertiesObj := properties[parentPath]
 		if artifactIDMatchesFilename(propertiesObj.ArtifactID, j.fileInfo.name) {
 			pomPropertiesObject = propertiesObj
 			if proj, exists := projects[parentPath]; exists {
--- a/syft/pkg/cataloger/java/archive_parser_test.go
+++ b/syft/pkg/cataloger/java/archive_parser_test.go
@ -1386,6 +1386,44 @@ func Test_parseJavaArchive_regressions(t *testing.T) {
 	}
 }
 func Test_deterministicMatchingPomProperties(t *testing.T) {
 	tests := []struct {
 		fixture         string
 		expectedName    string
 		expectedVersion string
 	}{
 		{
 			fixture:         "multiple-matching-2.11.5",
 			expectedName:    "multiple-matching-1",
 			expectedVersion: "2.11.5",
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.fixture, func(t *testing.T) {
 			fixturePath := generateJavaMetadataJarFixture(t, test.fixture)
 			for i := 0; i < 5; i++ {
 				func() {
 					fixture, err := os.Open(fixturePath)
 					require.NoError(t, err)
 					parser, cleanupFn, err := newJavaArchiveParser(file.LocationReadCloser{
 						Location:   file.NewLocation(fixture.Name()),
 						ReadCloser: fixture,
 					}, false, ArchiveCatalogerConfig{UseNetwork: false})
 					defer cleanupFn()
 					require.NoError(t, err)
 					name, version, _ := parser.guessMainPackageNameAndVersionFromPomInfo(context.TODO())
 					require.Equal(t, test.expectedName, name)
 					require.Equal(t, test.expectedVersion, version)
 				}()
 			}
 		})
 	}
 }
 func assignParent(parent *pkg.Package, childPackages ...pkg.Package) {
 	for i, jp := range childPackages {
 		if v, ok := jp.Metadata.(pkg.JavaArchive); ok {
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/Makefile
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/Makefile
@ -6,6 +6,7 @@ SBT_JACKSON_CORE = com.fasterxml.jackson.core.jackson-core-2.15.2
 OPENSAML_CORE = opensaml-core-3.4.6
 API_ALL_SOURCES = api-all-2.0.0-sources
 SPRING_INSTRUMENTATION = spring-instrumentation-4.3.0-1.0
 MULTIPLE_MATCHING = multiple-matching-2.11.5
 $(CACHE_DIR):
 	mkdir -p $(CACHE_DIR)
@ -24,3 +25,6 @@ $(CACHE_DIR)/$(API_ALL_SOURCES).jar: $(CACHE_DIR)
 $(CACHE_DIR)/$(SPRING_INSTRUMENTATION).jar: $(CACHE_DIR)
 	cd $(SPRING_INSTRUMENTATION) && zip -r $(CACHE_PATH)/$(SPRING_INSTRUMENTATION).jar .
 $(CACHE_DIR)/$(MULTIPLE_MATCHING).jar: $(CACHE_DIR)
 	cd $(MULTIPLE_MATCHING) && zip -r $(CACHE_PATH)/$(MULTIPLE_MATCHING).jar .
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/MANIFEST.MF
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/MANIFEST.MF
@ -0,0 +1,2 @@
 Manifest-Version: 1.0
 Created-By: Multi
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-1/pom.properties
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-1/pom.properties
@ -0,0 +1,3 @@
 version=2.11.5
 groupId=org.multiple
 artifactId=multiple-matching-1
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-1/pom.xml
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-1/pom.xml
@ -0,0 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.multiple</groupId>
    <artifactId>multiple-matching-1</artifactId>
    <version>2.11.5</version>
 </project>
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-2/pom.properties
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-2/pom.properties
@ -0,0 +1,3 @@
 version=2.11.5
 groupId=org.multiple
 artifactId=multiple-matching-2
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-2/pom.xml
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-2/pom.xml
@ -0,0 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.multiple</groupId>
    <artifactId>multiple-matching-2</artifactId>
    <version>2.11.5</version>
 </project>
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-3/pom.properties
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-3/pom.properties
@ -0,0 +1,3 @@
 version=2.11.5
 groupId=org.multiple
 artifactId=multiple-matching-3
--- a/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-3/pom.xml
+++ b/syft/pkg/cataloger/java/test-fixtures/jar-metadata/multiple-matching-2.11.5/META-INF/maven/org.multiple/multiple-matching-3/pom.xml
@ -0,0 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.multiple</groupId>
    <artifactId>multiple-matching-3</artifactId>
    <version>2.11.5</version>
 </project>