New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pURL generation for java packages + fix NPM pURL generation #812
Conversation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Benchmark Test ResultsBenchmark results from the latest changes vs base branch
|
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM -- just not quite sure about setting maven
for all java types
} | ||
|
||
pURL := packageurl.NewPackageURL( | ||
packageurl.TypeMaven, // TODO: should we filter down by package types here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this always maven? ... I see the purl spec doesn't seem to have any other java types, which is probably ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm also mixed on this.
I see the purl spec doesn't seem to have any other java types
That's what made me pause on excluding these. If we don't have a pURL for these packages, then package type extraction will be impossible. So it seems right to at least include a purl that matches the java ecosystem. (I suspect in the future this will change)
…hore/syft into 510-attach-sbomb-attestation * '510-attach-sbomb-attestation' of https://github.com/anchore/syft: Upgrade install.sh to support installations for previous versions (#830) remove duplicate manifest lines (#828) bump stereoscope to include functional options (#823) update golang crypto library dependency (#815) deduplicate SPDX tag-value package IDs (#813) Add pURL generation for java packages + fix NPM pURL generation (#812)
* main: Upgrade install.sh to support installations for previous versions (#830) remove duplicate manifest lines (#828) bump stereoscope to include functional options (#823) update golang crypto library dependency (#815) deduplicate SPDX tag-value package IDs (#813) Add pURL generation for java packages + fix NPM pURL generation (#812) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* enhance pURL generation for java packages Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * optionally split out npm namespaces for pURL generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * nit updates Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
…ore#812) * enhance pURL generation for java packages Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * optionally split out npm namespaces for pURL generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * nit updates Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
This PR enhances pURL generation in the following ways:
pom.properties
file. Note: enough parser-specific logic was needed that this is synthesized in the java cataloger package and persisted in the java.Metadata.the 'namespace' is used for the scope of a scoped NPM package
. So the package name@angular/animation
should be split such that the pURL namespace is@angular
instead of encoding the full name into the pURL package name.Related to anchore/grype#395