bug(java): use `artifactId` and `groupId` from `purl` in `sbom` mode

Question

bug(java): use `artifactId` and `groupId` from `purl` in `sbom` mode

DmitriyLewen opened this issue a month ago · comments

Description

pom.xml files can contain name field.
name is not always equal to artifactId.

spdx-maven-plugin uses name field (if it exists) as package name field.
So when name != artifactId - we can't correctly detect vulnerabilities for this package.

We don't have problem with CycloneDX, because cyclonedx-maven-plugin uses artifactId as component name field.

Maven packages must use lowercase for artifactId(but there is no such rule for groupId), but maven purl type has no lowercase restrictions - so we can take artifactId and groupId from purl.
This will fix problem with SPDX and we won't see problem with CycloneDX if cyclonedx-maven-plugin updates their logic.

example:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>example.groupId</groupId>
    <artifactId>example-artifactId</artifactId>
    <version>1.0.0</version>

    <name>example-name</name>
    <description>Example</description>


    <build>
        <plugins>
            <plugin>
                <groupId>org.spdx</groupId>
                <artifactId>spdx-maven-plugin</artifactId>
                <!-- please check for updates on https://search.maven.org/search?q=a:spdx-maven-plugin -->
                <version>0.7.3</version>
                <executions>
                    <execution>
                        <id>build-spdx</id>
                        <goals>
                            <goal>createSPDX</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                  <excludedFilePatterns>
                    <excludedFilePattern>*.spdx</excludedFilePattern>
                  </excludedFilePatterns>
                  <!-- See documentation below for additional configuration -->
                </configuration>
            </plugin>

            <plugin>
                <groupId>org.cyclonedx</groupId>
                <artifactId>cyclonedx-maven-plugin</artifactId>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>makeAggregateBom</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

</project>

SPDX package:

  "packages" : [ {
    "SPDXID" : "SPDXRef-gnrtd0",
    "copyrightText" : "NOASSERTION",
    "description" : "Example",
    "downloadLocation" : "NOASSERTION",
    "externalRefs" : [ {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:maven/example.groupId/example-artifactId@1.0.0",
      "referenceType" : "purl"
    } ],
    "filesAnalyzed" : true,
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "NOASSERTION",
    "name" : "example-name",
    "packageFileName" : "NOASSERTION",
    "packageVerificationCode" : {
      "packageVerificationCodeValue" : "da39a3ee5e6b4b0d3255bfef95601890afd80709"
    },
    "primaryPackagePurpose" : "LIBRARY",
    "summary" : "Example",
    "versionInfo" : "1.0.0"
  } ],

CycloneDX component:

    "component" : {
      "group" : "example.groupId",
      "name" : "example-artifactId",
      "version" : "1.0.0",
      "description" : "Example",
      "purl" : "pkg:maven/example.groupId/example-artifactId@1.0.0?type=jar",
      "type" : "library",
      "bom-ref" : "pkg:maven/example.groupId/example-artifactId@1.0.0?type=jar"
    },

Discussed in #6990

DmitriyLewen · Answer 1 · Tue Jun 25 2024 15:37:25 GMT+0800 (China Standard Time)

spdx-gradle-plugin doesn't have this problem.
It uses groupId:artifactId as name - https://github.com/spdx/spdx-gradle-plugin/blob/332b9cdde367c86a357bde43100d13e4c674ae6f/example.spdx.json#L474

Teppei Fukuda · Answer 2 · Wed Jun 26 2024 11:15:55 GMT+0800 (China Standard Time)

we won't see problem with CycloneDX if cyclonedx-maven-plugin updates their logic.

I need some clarification. You said we don't have a problem with cycloned-maven-plugin, but you also said "we won't see problem with CycloneDX IF cyclonedx-maven-plugin updates their logic." Why does cyclonedx-maven-plugin need to update their logic?

DmitriyLewen · Answer 3 · Wed Jun 26 2024 13:26:51 GMT+0800 (China Standard Time)

pom.xml may contain name, artifactId and groupId fields.
There is no rule what we should use for component.name field (i mean name or artifactId).

But perhaps I was too safe when I wrote this phrase 😄
I thought that cyclonedx-maven-plugin can may follow suit of spdx-maven-plugin (use name for comment.name and artifactId + groupId in purl).

But i reread docs - The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
Presence of component.group and This will often be a shortened, single name of the component phrase are more indicative of the use artifactId for name.

Teppei Fukuda · Answer 4 · Wed Jun 26 2024 14:14:28 GMT+0800 (China Standard Time)

OK. You mean we won't see any problem with CycloneDX unless cyclonedx-maven-plugin updates its logic.

DmitriyLewen · Answer 5 · Wed Jun 26 2024 14:19:33 GMT+0800 (China Standard Time)

right 👍