From 1cd81de77156ec3708b5de8a8945fd384b1290e2 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 22 Sep 2023 14:01:33 -0400 Subject: [PATCH 1/2] fix: make candidate group ID list deterministic Otherwise, which PURL is generated depends on the order of key iteration in maps. Signed-off-by: Will Murphy --- syft/pkg/cataloger/common/cpe/java.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/syft/pkg/cataloger/common/cpe/java.go b/syft/pkg/cataloger/common/cpe/java.go index 7a1a8f7b8c3..c8bde9f7794 100644 --- a/syft/pkg/cataloger/common/cpe/java.go +++ b/syft/pkg/cataloger/common/cpe/java.go @@ -1,6 +1,7 @@ package cpe import ( + "sort" "strings" "github.com/scylladb/go-set/strset" @@ -287,6 +288,7 @@ func GetManifestFieldGroupIDs(manifest *pkg.JavaManifest, fields []string) (grou } } } + sort.Strings(groupIDs) return groupIDs } From 45f04e73136cadc0ed9c24e988a92e516c84ee4e Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 22 Sep 2023 14:10:00 -0400 Subject: [PATCH 2/2] chore: fix purl integ test Apparently this test was only passing because of the map iteration fixed in the previous commit. Signed-off-by: Will Murphy --- syft/pkg/cataloger/common/cpe/java_groupid_map.go | 1 + test/integration/java_purl_test.go | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/syft/pkg/cataloger/common/cpe/java_groupid_map.go b/syft/pkg/cataloger/common/cpe/java_groupid_map.go index ece0b004bde..634b4dce09f 100644 --- a/syft/pkg/cataloger/common/cpe/java_groupid_map.go +++ b/syft/pkg/cataloger/common/cpe/java_groupid_map.go @@ -37,6 +37,7 @@ var DefaultArtifactIDToGroupID = map[string]string{ "ant-weblogic": "org.apache.ant", "ant-xz": "org.apache.ant", "commons-codec": "commons-codec", + "commons-logging": "commons-logging", // see e.g. https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1 "okhttp": "com.squareup.okhttp3", "okio": "com.squareup.okio", "spring": "org.springframework", diff --git a/test/integration/java_purl_test.go b/test/integration/java_purl_test.go index 06c54d66d2d..15ed6dd0d63 100644 --- a/test/integration/java_purl_test.go +++ b/test/integration/java_purl_test.go @@ -76,9 +76,9 @@ var expectedPURLs = map[string]string{ "commons-jexl@1.1-hudson-20090508": "pkg:maven/org.jvnet.hudson/commons-jexl@1.1-hudson-20090508", "commons-lang@2.4": "pkg:maven/commons-lang/commons-lang@2.4", "commons-lang@2.5": "pkg:maven/commons-lang/commons-lang@2.5", - "commons-logging@1.0.4": "pkg:maven/org.apache.commons.logging/commons-logging@1.0.4", - "commons-logging@1.1": "pkg:maven/org.apache.commons.logging/commons-logging@1.1", - "commons-logging@1.1.1": "pkg:maven/commons-logging/commons-logging@1.1.1", + "commons-logging@1.0.4": "pkg:maven/commons-logging/commons-logging@1.0.4", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.0.4 + "commons-logging@1.1": "pkg:maven/commons-logging/commons-logging@1.1", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1 + "commons-logging@1.1.1": "pkg:maven/commons-logging/commons-logging@1.1.1", // see https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1 "commons-pool@1.3": "pkg:maven/commons-pool/commons-pool@1.3", "crypto-util@1.0": "pkg:maven/org.jvnet.hudson/crypto-util@1.0", "cvs@1.2": "pkg:maven/org.jvnet.hudson.plugins/cvs@1.2",