bug(java): use `artifactId` and `groupId` from `purl` in `sbom` mode
DmitriyLewen opened this issue · comments
Description
pom.xml
files can contain name field.
name
is not always equal to artifactId
.
spdx-maven-plugin uses name
field (if it exists) as package name field.
So when name
!= artifactId
- we can't correctly detect vulnerabilities for this package.
We don't have problem with CycloneDX
, because cyclonedx-maven-plugin uses artifactId
as component name field.
Maven packages must use lowercase for artifactId(but there is no such rule for groupId
), but maven purl type has no lowercase restrictions - so we can take artifactId
and groupId
from purl
.
This will fix problem with SPDX
and we won't see problem with CycloneDX
if cyclonedx-maven-plugin
updates their logic.
example:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>example.groupId</groupId>
<artifactId>example-artifactId</artifactId>
<version>1.0.0</version>
<name>example-name</name>
<description>Example</description>
<build>
<plugins>
<plugin>
<groupId>org.spdx</groupId>
<artifactId>spdx-maven-plugin</artifactId>
<!-- please check for updates on https://search.maven.org/search?q=a:spdx-maven-plugin -->
<version>0.7.3</version>
<executions>
<execution>
<id>build-spdx</id>
<goals>
<goal>createSPDX</goal>
</goals>
</execution>
</executions>
<configuration>
<excludedFilePatterns>
<excludedFilePattern>*.spdx</excludedFilePattern>
</excludedFilePatterns>
<!-- See documentation below for additional configuration -->
</configuration>
</plugin>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
SPDX package:
"packages" : [ {
"SPDXID" : "SPDXRef-gnrtd0",
"copyrightText" : "NOASSERTION",
"description" : "Example",
"downloadLocation" : "NOASSERTION",
"externalRefs" : [ {
"referenceCategory" : "PACKAGE-MANAGER",
"referenceLocator" : "pkg:maven/example.groupId/example-artifactId@1.0.0",
"referenceType" : "purl"
} ],
"filesAnalyzed" : true,
"licenseConcluded" : "NOASSERTION",
"licenseDeclared" : "NOASSERTION",
"name" : "example-name",
"packageFileName" : "NOASSERTION",
"packageVerificationCode" : {
"packageVerificationCodeValue" : "da39a3ee5e6b4b0d3255bfef95601890afd80709"
},
"primaryPackagePurpose" : "LIBRARY",
"summary" : "Example",
"versionInfo" : "1.0.0"
} ],
CycloneDX component:
"component" : {
"group" : "example.groupId",
"name" : "example-artifactId",
"version" : "1.0.0",
"description" : "Example",
"purl" : "pkg:maven/example.groupId/example-artifactId@1.0.0?type=jar",
"type" : "library",
"bom-ref" : "pkg:maven/example.groupId/example-artifactId@1.0.0?type=jar"
},
Discussed in #6990
spdx-gradle-plugin
doesn't have this problem.
It uses groupId:artifactId
as name
- https://github.com/spdx/spdx-gradle-plugin/blob/332b9cdde367c86a357bde43100d13e4c674ae6f/example.spdx.json#L474
we won't see problem with CycloneDX if cyclonedx-maven-plugin updates their logic.
I need some clarification. You said we don't have a problem with cycloned-maven-plugin
, but you also said "we won't see problem with CycloneDX IF cyclonedx-maven-plugin updates their logic." Why does cyclonedx-maven-plugin
need to update their logic?
pom.xml
may contain name
, artifactId
and groupId
fields.
There is no rule what we should use for component.name
field (i mean name
or artifactId
).
But perhaps I was too safe when I wrote this phrase 😄
I thought that cyclonedx-maven-plugin
can may follow suit of spdx-maven-plugin
(use name
for comment.name
and artifactId
+ groupId
in purl
).
But i reread docs - The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
Presence of component.group
and This will often be a shortened, single name of the component
phrase are more indicative of the use artifactId
for name
.
OK. You mean we won't see any problem with CycloneDX unless cyclonedx-maven-plugin updates its logic.
right 👍