From b56d9efd0ca34a6c3f807856a9ed6507ebb2a6c0 Mon Sep 17 00:00:00 2001 From: William Murphy Date: Mon, 25 Sep 2023 09:28:18 -0400 Subject: [PATCH] fix: deterministic java purls (#2170) Previously, which PURL was generated depended on the order of key iteration in maps. Also update an integ test that was apparently only passing because of the previous issue. Signed-off-by: Will Murphy --- syft/pkg/cataloger/common/cpe/java.go | 2 ++ syft/pkg/cataloger/common/cpe/java_groupid_map.go | 1 + test/integration/java_purl_test.go | 6 +++--- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/syft/pkg/cataloger/common/cpe/java.go b/syft/pkg/cataloger/common/cpe/java.go index 7a1a8f7b8c3..c8bde9f7794 100644 --- a/syft/pkg/cataloger/common/cpe/java.go +++ b/syft/pkg/cataloger/common/cpe/java.go @@ -1,6 +1,7 @@ package cpe import ( + "sort" "strings" "github.com/scylladb/go-set/strset" @@ -287,6 +288,7 @@ func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string) (grou } } } + sort.Strings(groupIDs) return groupIDs } diff --git a/syft/pkg/cataloger/common/cpe/java_groupid_map.go b/syft/pkg/cataloger/common/cpe/java_groupid_map.go index ece0b004bde..634b4dce09f 100644 --- a/syft/pkg/cataloger/common/cpe/java_groupid_map.go +++ b/syft/pkg/cataloger/common/cpe/java_groupid_map.go @@ -37,6 +37,7 @@ var DefaultArtifactIDToGroupID = map[string]string{ "ant-weblogic": "org.apache.ant", "ant-xz": "org.apache.ant", "commons-codec": "commons-codec", + "commons-logging": "commons-logging", // see e.g. https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1 "okhttp": "com.squareup.okhttp3", "okio": "com.squareup.okio", "spring": "org.springframework", diff --git a/test/integration/java_purl_test.go b/test/integration/java_purl_test.go index 06c54d66d2d..15ed6dd0d63 100644 --- a/test/integration/java_purl_test.go +++ b/test/integration/java_purl_test.go @@ -76,9 +76,9 @@ var expectedPURLs = map[string]string{ "commons-jexl@1.1-hudson-20090508": "pkg:maven/org.jvnet.hudson/commons-jexl@1.1-hudson-20090508", "commons-lang@2.4": "pkg:maven/commons-lang/commons-lang@2.4", "commons-lang@2.5": "pkg:maven/commons-lang/commons-lang@2.5", - "commons-logging@1.0.4": "pkg:maven/org.apache.commons.logging/commons-logging@1.0.4", - "commons-logging@1.1": "pkg:maven/org.apache.commons.logging/commons-logging@1.1", - "commons-logging@1.1.1": "pkg:maven/commons-logging/commons-logging@1.1.1", + "commons-logging@1.0.4": "pkg:maven/commons-logging/commons-logging@1.0.4", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.0.4 + "commons-logging@1.1": "pkg:maven/commons-logging/commons-logging@1.1", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1 + "commons-logging@1.1.1": "pkg:maven/commons-logging/commons-logging@1.1.1", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1 "commons-pool@1.3": "pkg:maven/commons-pool/commons-pool@1.3", "crypto-util@1.0": "pkg:maven/org.jvnet.hudson/crypto-util@1.0", "cvs@1.2": "pkg:maven/org.jvnet.hudson.plugins/cvs@1.2",