allow for more flexible GHSA namespace and source extraction

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

grype/db/v3/namespace.go

@@ -7,6 +7,8 @@ import (
 	"github.com/anchore/grype/grype/distro"
 	"github.com/anchore/grype/grype/pkg"
 	"github.com/anchore/grype/internal"
+	"github.com/anchore/grype/internal/log"
+	"github.com/anchore/packageurl-go"
 	syftPkg "github.com/anchore/syft/syft/pkg"
 )
 
@@ -116,5 +118,14 @@ func githubJavaPackageNamer(p pkg.Package) []string {
 		}
 	}
 
+	if p.PURL != "" {
+		purl, err := packageurl.FromString(p.PURL)
+		if err != nil {
+			log.Warnf("unable to extract GHSA java package information from purl=%q: %+v", p.PURL, err)
+		} else {
+			names.Add(fmt.Sprintf("%s:%s", purl.Namespace, purl.Name))
+		}
+	}
+
 	return names.ToSlice()
 }

grype/db/v3/namespace_test.go

@@ -405,6 +405,31 @@ func Test_githubJavaPackageNamer(t *testing.T) {
 			},
 			expected: []string{},
 		},
+		{
+			name: "with valid purl",
+			namerInput: pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
+				Name: "a-name",
+				PURL: "pkg:maven/org.anchore/b-name@0.2",
+			},
+			expected: []string{"org.anchore:b-name"},
+		},
+		{
+			name: "ignore invalid pURLs",
+			namerInput: pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
+				Name: "a-name",
+				PURL: "pkg:BAD/",
+				Metadata: pkg.JavaMetadata{
+					VirtualPath:   "v-path",
+					PomArtifactID: "art-id",
+					PomGroupID:    "g-id",
+				},
+			},
+			expected: []string{
+				"g-id:art-id",
+			},
+		},
 	}
 
 	for _, test := range tests {

grype/presenter/models/source.go

@@ -29,7 +29,13 @@ func newSource(src syftSource.Metadata) (source, error) {
 			Type:   "file",
 			Target: src.Path,
 		}, nil
+	case "":
+		// we may be showing results from a input source that does not support source information
+		return source{
+			Type:   "unknown",
+			Target: "unknown",
+		}, nil
 	default:
-		return source{}, fmt.Errorf("unsupported source: %T", src)
+		return source{}, fmt.Errorf("unsupported source: %q", src.Scheme)
 	}
 }