From 393bfdc1ac6307a0260fa4fe5919e7ea3de35928 Mon Sep 17 00:00:00 2001 From: j1nka Date: Tue, 3 Oct 2023 14:06:27 +0300 Subject: [PATCH] fix(sbom): use PURL or Group and Name in case of Java (#5154) --- pkg/sbom/cyclonedx/unmarshal.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pkg/sbom/cyclonedx/unmarshal.go b/pkg/sbom/cyclonedx/unmarshal.go index 8de031e053f5..d8837980bd0b 100644 --- a/pkg/sbom/cyclonedx/unmarshal.go +++ b/pkg/sbom/cyclonedx/unmarshal.go @@ -345,7 +345,7 @@ func toPackage(component cdx.Component) (bool, ftypes.TargetType, *ftypes.Packag pkg := p.Package() // Trivy's marshall loses case-sensitivity in PURL used in SBOM for packages (Go, Npm, PyPI), // so we have to use an original package name - pkg.Name = getPackageName(p.Type, component) + pkg.Name = getPackageName(p.Type, pkg.Name, component) pkg.Ref = component.BOMRef for _, license := range lo.FromPtr(component.Licenses) { @@ -407,10 +407,15 @@ func toTrivyCdxComponent(component cdx.Component) ftypes.Component { } } -func getPackageName(typ string, component cdx.Component) string { - // Jar uses `Group` field for `GroupID` - if typ == packageurl.TypeMaven && component.Group != "" { - return fmt.Sprintf("%s:%s", component.Group, component.Name) +func getPackageName(typ, pkgNameFromPurl string, component cdx.Component) string { + if typ == packageurl.TypeMaven { + // Jar uses `Group` field for `GroupID` + if component.Group != "" { + return fmt.Sprintf("%s:%s", component.Group, component.Name) + } else { + // use name derived from purl if `Group` doesn't exist + return pkgNameFromPurl + } } return component.Name }