Fix: don't validate pom declared group (#2054)

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2025-11-18 17:03:17 +01:00 · 2023-08-24 13:28:40 -04:00 · 2023-08-24 13:28:40 -04:00 · faa902209e
commit faa902209e
parent 9a2a988e7f
2 changed files with 89 additions and 3 deletions
--- a/syft/pkg/cataloger/java/package_url.go
+++ b/syft/pkg/cataloger/java/package_url.go
@ -84,7 +84,7 @@ func groupIDFromPomProperties(properties *pkg.PomProperties) (groupID string) {
 		return groupID
 	}

-	if looksLikeGroupID(properties.GroupID) {
+	if properties.GroupID != "" {
 		return cleanGroupID(properties.GroupID)
 	}

@ -103,7 +103,7 @@ func groupIDFromPomProject(project *pkg.PomProject) (groupID string) {
 	}

 	// check the project details
-	if looksLikeGroupID(project.GroupID) {
+	if project.GroupID != "" {
 		return cleanGroupID(project.GroupID)
 	}

@ -116,7 +116,7 @@ func groupIDFromPomProject(project *pkg.PomProject) (groupID string) {
 	// let's check the parent details
 	// if the current project does not have a group ID, but the parent does, we'll use the parent's group ID
 	if project.Parent != nil {
-		if looksLikeGroupID(project.Parent.GroupID) {
+		if project.Parent.GroupID != "" {
 			return cleanGroupID(project.Parent.GroupID)
 		}

--- a/syft/pkg/cataloger/java/package_url_test.go
+++ b/syft/pkg/cataloger/java/package_url_test.go
@ -10,10 +10,12 @@ import (

 func Test_packageURL(t *testing.T) {
 	tests := []struct {
+		name   string
 		pkg    pkg.Package
 		expect string
 	}{
 		{
+			name: "maven",
 			pkg: pkg.Package{
 				Name:         "example-java-app-maven",
 				Version:      "0.1.0",
@ -38,6 +40,90 @@ func Test_packageURL(t *testing.T) {
 			},
 			expect: "pkg:maven/org.anchore/example-java-app-maven@0.1.0",
 		},
+		{
+			name: "POM properties have explicit group ID without . in it",
+			pkg: pkg.Package{
+				Name:         "example-java-app-maven",
+				Version:      "0.1.0",
+				Language:     pkg.Java,
+				Type:         pkg.JavaPkg,
+				MetadataType: pkg.JavaMetadataType,
+				Metadata: pkg.JavaMetadata{
+					VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar",
+					Manifest: &pkg.JavaManifest{
+						Main: map[string]string{
+							"Manifest-Version": "1.0",
+						},
+					},
+					PomProperties: &pkg.PomProperties{
+						Path:       "META-INF/maven/org.anchore/example-java-app-maven/pom.properties",
+						GroupID:    "commons",
+						ArtifactID: "example-java-app-maven",
+						Version:    "0.1.0",
+						Extra:      make(map[string]string),
+					},
+				},
+			},
+			expect: "pkg:maven/commons/example-java-app-maven@0.1.0",
+		},
+		{
+			name: "POM project has explicit group ID without . in it",
+			pkg: pkg.Package{
+				Name:         "example-java-app-maven",
+				Version:      "0.1.0",
+				Language:     pkg.Java,
+				Type:         pkg.JavaPkg,
+				MetadataType: pkg.JavaMetadataType,
+				Metadata: pkg.JavaMetadata{
+					VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar",
+					Manifest: &pkg.JavaManifest{
+						Main: map[string]string{
+							"Manifest-Version": "1.0",
+						},
+					},
+					PomProperties: &pkg.PomProperties{
+						Path:       "META-INF/maven/org.anchore/example-java-app-maven/pom.properties",
+						ArtifactID: "example-java-app-maven",
+						Version:    "0.1.0",
+						Extra:      make(map[string]string),
+					},
+					PomProject: &pkg.PomProject{
+						GroupID: "commons",
+					},
+				},
+			},
+			expect: "pkg:maven/commons/example-java-app-maven@0.1.0",
+		},
+		{
+			name: "POM project has explicit group ID without . in it",
+			pkg: pkg.Package{
+				Name:         "example-java-app-maven",
+				Version:      "0.1.0",
+				Language:     pkg.Java,
+				Type:         pkg.JavaPkg,
+				MetadataType: pkg.JavaMetadataType,
+				Metadata: pkg.JavaMetadata{
+					VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar",
+					Manifest: &pkg.JavaManifest{
+						Main: map[string]string{
+							"Manifest-Version": "1.0",
+						},
+					},
+					PomProperties: &pkg.PomProperties{
+						Path:       "META-INF/maven/org.anchore/example-java-app-maven/pom.properties",
+						ArtifactID: "example-java-app-maven",
+						Version:    "0.1.0",
+						Extra:      make(map[string]string),
+					},
+					PomProject: &pkg.PomProject{
+						Parent: &pkg.PomParent{
+							GroupID: "parent",
+						},
+					},
+				},
+			},
+			expect: "pkg:maven/parent/example-java-app-maven@0.1.0",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.expect, func(t *testing.T) {