Skip to content

Commit

Permalink
fix(sbom): use PURL or Group and Name in case of Java (#5154)
Browse files Browse the repository at this point in the history
  • Loading branch information
@j1nka
j1nka authored Oct 3, 2023
1 parent 76eb8a5 commit 393bfdc
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions pkg/sbom/cyclonedx/unmarshal.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,7 @@ func toPackage(component cdx.Component) (bool, ftypes.TargetType, *ftypes.Packag
pkg := p.Package()
// Trivy's marshall loses case-sensitivity in PURL used in SBOM for packages (Go, Npm, PyPI),
// so we have to use an original package name
pkg.Name = getPackageName(p.Type, component)
pkg.Name = getPackageName(p.Type, pkg.Name, component)
pkg.Ref = component.BOMRef

for _, license := range lo.FromPtr(component.Licenses) {
Expand Down Expand Up @@ -407,10 +407,15 @@ func toTrivyCdxComponent(component cdx.Component) ftypes.Component {
}
}

func getPackageName(typ string, component cdx.Component) string {
// Jar uses `Group` field for `GroupID`
if typ == packageurl.TypeMaven && component.Group != "" {
return fmt.Sprintf("%s:%s", component.Group, component.Name)
func getPackageName(typ, pkgNameFromPurl string, component cdx.Component) string {
if typ == packageurl.TypeMaven {
// Jar uses `Group` field for `GroupID`
if component.Group != "" {
return fmt.Sprintf("%s:%s", component.Group, component.Name)
} else {
// use name derived from purl if `Group` doesn't exist
return pkgNameFromPurl
}
}
return component.Name
}

0 comments on commit 393bfdc

Please sign in to comment.