fix: deterministic java purls (#2170)

Previously, which PURL was generated depended on the order of key iteration in maps. Also update an integ test that was apparently only passing because of the previous issue. Signed-off-by: Will Murphy <will.murphy@anchore.com>
2026-02-12 02:26:42 +01:00 · 2023-09-25 09:28:18 -04:00 · 2023-09-25 09:28:18 -04:00 · e34adea749
commit e34adea749
parent 8314c0d2cb
3 changed files with 6 additions and 3 deletions
--- a/syft/pkg/cataloger/common/cpe/java.go
+++ b/syft/pkg/cataloger/common/cpe/java.go
@ -1,6 +1,7 @@
 package cpe

 import (
+	"sort"
 	"strings"

 	"github.com/scylladb/go-set/strset"
@ -287,6 +288,7 @@ func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string) (grou
 			}
 		}
 	}
+	sort.Strings(groupIDs)

 	return groupIDs
 }
--- a/syft/pkg/cataloger/common/cpe/java_groupid_map.go
+++ b/syft/pkg/cataloger/common/cpe/java_groupid_map.go
@ -37,6 +37,7 @@ var DefaultArtifactIDToGroupID = map[string]string{
 	"ant-weblogic":                   "org.apache.ant",
 	"ant-xz":                         "org.apache.ant",
 	"commons-codec":                  "commons-codec",
+	"commons-logging":                "commons-logging", // see e.g. https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1
 	"okhttp":                         "com.squareup.okhttp3",
 	"okio":                           "com.squareup.okio",
 	"spring":                         "org.springframework",
--- a/test/integration/java_purl_test.go
+++ b/test/integration/java_purl_test.go
@ -76,9 +76,9 @@ var expectedPURLs = map[string]string{
 	"commons-jexl@1.1-hudson-20090508":                "pkg:maven/org.jvnet.hudson/commons-jexl@1.1-hudson-20090508",
 	"commons-lang@2.4":                                "pkg:maven/commons-lang/commons-lang@2.4",
 	"commons-lang@2.5":                                "pkg:maven/commons-lang/commons-lang@2.5",
-	"commons-logging@1.0.4":                           "pkg:maven/org.apache.commons.logging/commons-logging@1.0.4",
-	"commons-logging@1.1":                             "pkg:maven/org.apache.commons.logging/commons-logging@1.1",
-	"commons-logging@1.1.1":                           "pkg:maven/commons-logging/commons-logging@1.1.1",
+	"commons-logging@1.0.4":                           "pkg:maven/commons-logging/commons-logging@1.0.4", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.0.4
+	"commons-logging@1.1":                             "pkg:maven/commons-logging/commons-logging@1.1",   // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1
+	"commons-logging@1.1.1":                           "pkg:maven/commons-logging/commons-logging@1.1.1", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1
 	"commons-pool@1.3":                                "pkg:maven/commons-pool/commons-pool@1.3",
 	"crypto-util@1.0":                                 "pkg:maven/org.jvnet.hudson/crypto-util@1.0",
 	"cvs@1.2":                                         "pkg:maven/org.jvnet.hudson.plugins/cvs@1.2",