You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'll tap the team here to provide some clarity on if this is a bug or not. Basically, in the example above, the group ids are listed as javax.servlet or mysql. Syft filters out any groupIDs that aren't prefixed with "com","org","net","io","be", done here.
Are the proposed purls from the OP valid? If so, we need to change the way the purl is generated. If not, my PR fixes an issue related to this post, but the actual issue isn't valid.
Thanks for the fix @cpendery - I don't think we should be filtering the groupIDs in this case so accepted the fix to give more flexibility to the PURL generation so we can match on cases where packages might not follow the specification 100%.
@wagoodman if this seems incorrect and we included those filters for a reason I cannot remember or was not here for feel free to comment here and I can revert the patch.
What happened:
The source pom.xml cataloger in #1055 does not properly parse the namespace for a dependency.
Given the following in a pom.xml
This is the output by Syft
What you expected to happen:
The output should be
How to reproduce it (as minimally and precisely as possible):
Copy following snippet into a pom.xml and run Syft.
This is another example
Anything else we need to know?:
N/A
Environment:
syft version
: 0.49.0cat /etc/os-release
or similar): macOSThe text was updated successfully, but these errors were encountered: