Source pom.xml cataloger Namespace error

[vtky]

What happened:
The source pom.xml cataloger in #1055 does not properly parse the namespace for a dependency.

Given the following in a pom.xml

    <dependency>
    	<groupId>mysql</groupId>
    	<artifactId>mysql-connector-java</artifactId>
    	<version>5.1.26</version>
    </dependency>

This is the output by Syft

"purl": "pkg:maven/mysql-connector-java/mysql-connector-java@5.1.42"

What you expected to happen:

The output should be

"purl": "pkg:maven/mysql/mysql-connector-java@5.1.42"

How to reproduce it (as minimally and precisely as possible):

Copy following snippet into a pom.xml and run Syft.

    <dependency>
    	<groupId>mysql</groupId>
    	<artifactId>mysql-connector-java</artifactId>
    	<version>5.1.26</version>
    </dependency>

This is another example

	<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>servlet-api</artifactId>
    <version>2.3</version>
    <scope>provided</scope>
</dependency>	 	

Anything else we need to know?:

N/A

Environment:

• Output of syft version: 0.49.0
• OS (e.g: cat /etc/os-release or similar): macOS

[cpendery]

I'll tap the team here to provide some clarity on if this is a bug or not. Basically, in the example above, the group ids are listed as javax.servlet or mysql. Syft filters out any groupIDs that aren't prefixed with "com","org","net","io","be", done here.

Are the proposed purls from the OP valid? If so, we need to change the way the purl is generated. If not, my PR fixes an issue related to this post, but the actual issue isn't valid.

[spiffcs]

Thanks for the fix @cpendery - I don't think we should be filtering the groupIDs in this case so accepted the fix to give more flexibility to the PURL generation so we can match on cases where packages might not follow the specification 100%.

@wagoodman if this seems incorrect and we included those filters for a reason I cannot remember or was not here for feel free to comment here and I can revert the patch.