fix: deterministic java purls (#2170)

Previously, which PURL was generated depended on the order of key iteration in maps. Also update an integ test that was apparently only passing because of the previous issue. Signed-off-by: Will Murphy <[email protected]>
anchore · Sep 25, 2023 · e34adea · e34adea
1 parent 8314c0d
commit e34adea
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/syft/pkg/cataloger/common/cpe/java.go b/syft/pkg/cataloger/common/cpe/java.go
@@ -1,6 +1,7 @@
 package cpe
 
 import (
+	"sort"
 	"strings"
 
 	"github.com/scylladb/go-set/strset"
@@ -287,6 +288,7 @@ func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string) (grou
 			}
 		}
 	}
+	sort.Strings(groupIDs)
 
 	return groupIDs
 }

diff --git a/syft/pkg/cataloger/common/cpe/java_groupid_map.go b/syft/pkg/cataloger/common/cpe/java_groupid_map.go
@@ -37,6 +37,7 @@ var DefaultArtifactIDToGroupID = map[string]string{
 	"ant-weblogic":                   "org.apache.ant",
 	"ant-xz":                         "org.apache.ant",
 	"commons-codec":                  "commons-codec",
+	"commons-logging":                "commons-logging", // see e.g. https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1
 	"okhttp":                         "com.squareup.okhttp3",
 	"okio":                           "com.squareup.okio",
 	"spring":                         "org.springframework",

diff --git a/test/integration/java_purl_test.go b/test/integration/java_purl_test.go
@@ -76,9 +76,9 @@ var expectedPURLs = map[string]string{
 	"[email protected]":                "pkg:maven/org.jvnet.hudson/[email protected]",
 	"[email protected]":                                "pkg:maven/commons-lang/[email protected]",
 	"[email protected]":                                "pkg:maven/commons-lang/[email protected]",
-	"[email protected]":                           "pkg:maven/org.apache.commons.logging/[email protected]",
-	"[email protected]":                             "pkg:maven/org.apache.commons.logging/[email protected]",
-	"[email protected]":                           "pkg:maven/commons-logging/[email protected]",
+	"[email protected]":                           "pkg:maven/commons-logging/[email protected]", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.0.4
+	"[email protected]":                             "pkg:maven/commons-logging/[email protected]",   // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1
+	"[email protected]":                           "pkg:maven/commons-logging/[email protected]", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1
 	"[email protected]":                                "pkg:maven/commons-pool/[email protected]",
 	"[email protected]":                                 "pkg:maven/org.jvnet.hudson/[email protected]",
 	"[email protected]":                                         "pkg:maven/org.jvnet.hudson.plugins/[email protected]",