Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add pURL generation for java packages + fix NPM pURL generation #812

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 10, 2022
Merged

Add pURL generation for java packages + fix NPM pURL generation #812

merged 3 commits into from
Feb 10, 2022

Conversation

@wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Feb 10, 2022
edited
Loading

This PR enhances pURL generation in the following ways:

  • Java pURLs now cover more cases. By using the Group ID extraction logic that drives the CPE generation, and name/version extraction logic provided by the java cataloger today, we can assemble a pURL even if we are missing a pom.properties file. Note: enough parser-specific logic was needed that this is synthesized in the java cataloger package and persisted in the java.Metadata.
  • NPM pURLs never accounted for scoped packages, which the purl spec does account for: the 'namespace' is used for the scope of a scoped NPM package. So the package name @angular/animation should be split such that the pURL namespace is @angular instead of encoding the full name into the pURL package name.

Related to anchore/grype#395

@wagoodman wagoodman added the enhancement New feature or request label Feb 10, 2022
@wagoodman wagoodman requested a review from a team February 10, 2022 18:27
@github-actions
Copy link

github-actions bot commented Feb 10, 2022
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.28ms ± 0%    1.26ms ± 1%  -1.32%  (p=0.016 n=4+5)
ImagePackageCatalogers/python-package-cataloger-2            2.93ms ± 2%    2.89ms ± 0%  -1.63%  (p=0.016 n=5+4)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.01ms ± 1%    0.99ms ± 0%  -1.42%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         786µs ± 1%     768µs ± 0%  -2.19%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     911µs ± 0%     896µs ± 0%  -1.58%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      822µs ± 1%     803µs ± 0%  -2.21%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      22.8ms ± 1%    22.2ms ± 1%  -2.66%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.22ms ± 1%    1.20ms ± 0%  -1.61%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          1.94µs ± 0%    1.91µs ± 1%  -1.56%  (p=0.008 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               252kB ± 0%     252kB ± 0%    ~     (p=0.841 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            1.06MB ± 0%    1.06MB ± 0%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     253kB ± 0%     253kB ± 0%  -0.11%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         207kB ± 0%     207kB ± 0%    ~     (p=0.690 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     254kB ± 0%     254kB ± 0%  -0.09%  (p=0.032 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      236kB ± 0%     235kB ± 0%  -0.12%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      4.19MB ± 0%    4.18MB ± 0%    ~     (p=0.421 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.30MB ± 0%    1.30MB ± 0%  +0.04%  (p=0.032 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            608B ± 0%      608B ± 0%    ~     (all equal)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               6.33k ± 0%     6.33k ± 0%    ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2             21.4k ± 0%     21.4k ± 0%    ~     (p=0.246 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     7.25k ± 0%     7.25k ± 0%    ~     (p=0.881 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         5.36k ± 0%     5.36k ± 0%  +0.02%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     7.10k ± 0%     7.10k ± 0%    ~     (all equal)
ImagePackageCatalogers/rpmdb-cataloger-2                      6.82k ± 0%     6.82k ± 0%    ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                       86.8k ± 0%     86.8k ± 0%  +0.03%  (p=0.016 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      7.37k ± 0%     7.37k ± 0%    ~     (p=0.238 n=4+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            14.0 ± 0%      14.0 ± 0%    ~     (all equal)

@wagoodman
nit updates
271c706 
Signed-off-by: Alex Goodman <[email protected]>
kzantow
kzantow approved these changes Feb 10, 2022
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM -- just not quite sure about setting maven for all java types

syft/pkg/cataloger/java/package_url.go
}

pURL := packageurl.NewPackageURL(
packageurl.TypeMaven, // TODO: should we filter down by package types here?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this always maven? ... I see the purl spec doesn't seem to have any other java types, which is probably ok

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also mixed on this.

I see the purl spec doesn't seem to have any other java types

That's what made me pause on excluding these. If we don't have a pURL for these packages, then package type extraction will be impossible. So it seems right to at least include a purl that matches the java ecosystem. (I suspect in the future this will change)

@wagoodman wagoodman merged commit ca03243 into main Feb 10, 2022
@wagoodman wagoodman deleted the add-java-purls branch February 10, 2022 18:46
spiffcs added a commit that referenced this pull request Feb 17, 2022
@spiffcs
Merge branch '510-attach-sbomb-attestation' of https://github.com/anc…
6c2fe7d 
…hore/syft into 510-attach-sbomb-attestation

* '510-attach-sbomb-attestation' of https://github.com/anchore/syft:
  Upgrade install.sh to support installations for previous versions (#830)
  remove duplicate manifest lines (#828)
  bump stereoscope to include functional options (#823)
  update golang crypto library dependency (#815)
  deduplicate SPDX tag-value package IDs (#813)
  Add pURL generation for java packages + fix NPM pURL generation (#812)
spiffcs added a commit that referenced this pull request Feb 17, 2022
@spiffcs
Merge branch 'main' into 510-attach-sbomb-attestation
4f46f92 
* main:
  Upgrade install.sh to support installations for previous versions (#830)
  remove duplicate manifest lines (#828)
  bump stereoscope to include functional options (#823)
  update golang crypto library dependency (#815)
  deduplicate SPDX tag-value package IDs (#813)
  Add pURL generation for java packages + fix NPM pURL generation (#812)

Signed-off-by: Christopher Phillips <[email protected]>
spiffcs pushed a commit that referenced this pull request Feb 18, 2022
@wagoodman @spiffcs
Add pURL generation for java packages + fix NPM pURL generation (#812)
f677d5b 
* enhance pURL generation for java packages

Signed-off-by: Alex Goodman <[email protected]>

* optionally split out npm namespaces for pURL generation

Signed-off-by: Alex Goodman <[email protected]>

* nit updates

Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@wagoodman
Add pURL generation for java packages + fix NPM pURL generation (anch…
c5bfcfb 
…ore#812)

* enhance pURL generation for java packages

Signed-off-by: Alex Goodman <[email protected]>

* optionally split out npm namespaces for pURL generation

Signed-off-by: Alex Goodman <[email protected]>

* nit updates

Signed-off-by: Alex Goodman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kzantow kzantow kzantow approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wagoodman @kzantow