CPEs from JVM cataloger should be declared

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
anchore · Sep 16, 2024 · caf2d62 · caf2d62
1 parent ac8f7e7
commit caf2d62
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 15 deletions.
diff --git a/syft/pkg/cataloger/java/cataloger_test.go b/syft/pkg/cataloger/java/cataloger_test.go
@@ -124,9 +124,9 @@ func TestJvmDistributionCataloger(t *testing.T) {
 				Licenses:  pkg.NewLicenseSet(),
 				Type:      pkg.BinaryPkg,
 				CPEs: []cpe.CPE{
-					cpe.Must("cpe:2.3:a:oracle:java_se:1.8.0:update411:*:*:*:*:*:*", cpe.GeneratedSource),
-					cpe.Must("cpe:2.3:a:oracle:jre:1.8.0:update411:*:*:*:*:*:*", cpe.GeneratedSource),
-					cpe.Must("cpe:2.3:a:oracle:jdk:1.8.0:update411:*:*:*:*:*:*", cpe.GeneratedSource),
+					cpe.Must("cpe:2.3:a:oracle:java_se:1.8.0:update411:*:*:*:*:*:*", cpe.DeclaredSource),
+					cpe.Must("cpe:2.3:a:oracle:jre:1.8.0:update411:*:*:*:*:*:*", cpe.DeclaredSource),
+					cpe.Must("cpe:2.3:a:oracle:jdk:1.8.0:update411:*:*:*:*:*:*", cpe.DeclaredSource),
 				},
 				PURL: "pkg:generic/oracle/jdk@1.8.0_411-b25",
 				Metadata: pkg.JavaVMInstallation{
@@ -156,7 +156,7 @@ func TestJvmDistributionCataloger(t *testing.T) {
 				Locations: file.NewLocationSet(file.NewLocation("jvm/openjdk/release")),
 				Licenses:  pkg.NewLicenseSet(),
 				Type:      pkg.BinaryPkg,
-				CPEs:      []cpe.CPE{cpe.Must("cpe:2.3:a:oracle:openjdk:21.0.4:*:*:*:*:*:*:*", cpe.GeneratedSource)},
+				CPEs:      []cpe.CPE{cpe.Must("cpe:2.3:a:oracle:openjdk:21.0.4:*:*:*:*:*:*:*", cpe.DeclaredSource)},
 				PURL:      "pkg:generic/oracle/openjdk@21.0.4%2B7-LTS?repository_url=https://github.com/adoptium/jdk21u.git",
 				Metadata: pkg.JavaVMInstallation{
 					Release: pkg.JavaVMRelease{

diff --git a/syft/pkg/cataloger/java/parse_jvm_release.go b/syft/pkg/cataloger/java/parse_jvm_release.go
@@ -274,7 +274,10 @@ func newJvmCpe(candidate jvmCpeInfo) *cpe.CPE {
 			Version: shortVer,
 			Update:  update,
 		},
-		Source: cpe.GeneratedSource,
+		// note: we must use a declared source here. Though we are not directly raising up raw CPEs from cataloged material,
+		// these are vastly more reliable and accurate than what would be generated from the cpe generator logic.
+		// We want these CPEs to override any generated CPEs (and in fact prevent the generation of CPEs for these packages altogether).
+		Source: cpe.DeclaredSource,
 	}
 }
 
@@ -354,6 +357,14 @@ func jvmPackageVersion(ri *pkg.JavaVMRelease) string {
 	switch {
 	case ri.JavaRuntimeVersion != "":
 		return ri.JavaRuntimeVersion
+	case ri.FullVersion != "":
+		// if the full version major version matches the java version major version, then use the full version
+		fullMajor := strings.Split(ri.FullVersion, ".")[0]
+		javaMajor := strings.Split(ri.JavaVersion, ".")[0]
+		if fullMajor == javaMajor {
+			return ri.FullVersion
+		}
+		fallthrough
 	case ri.JavaVersion != "":
 		return ri.JavaVersion
 	}

diff --git a/syft/pkg/cataloger/java/parse_jvm_release_test.go b/syft/pkg/cataloger/java/parse_jvm_release_test.go
@@ -34,7 +34,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "9.0.1",
 						Update:  "",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 				{
 					Attributes: cpe.Attributes{
@@ -44,7 +44,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "9.0.1",
 						Update:  "",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 			},
 		},
@@ -64,7 +64,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "1.6.0",
 						Update:  "update322",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 				{
 					Attributes: cpe.Attributes{
@@ -74,7 +74,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "1.6.0",
 						Update:  "update322",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 			},
 		},
@@ -94,7 +94,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "1.8.0",
 						Update:  "update322",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 				{
 					Attributes: cpe.Attributes{
@@ -104,7 +104,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "1.8.0",
 						Update:  "update322",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 				{
 					Attributes: cpe.Attributes{
@@ -114,7 +114,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "1.8.0",
 						Update:  "update322",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 			},
 		},
@@ -133,7 +133,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "9.0.1",
 						Update:  "",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 			},
 		},
@@ -152,7 +152,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "11.0.9",
 						Update:  "",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 			},
 		},
@@ -171,7 +171,7 @@ func TestJvmCpes(t *testing.T) {
 						Version: "1.8.0",
 						Update:  "",
 					},
-					Source: cpe.GeneratedSource,
+					Source: cpe.DeclaredSource,
 				},
 			},
 		},
@@ -219,6 +219,15 @@ func TestJvmVersion(t *testing.T) {
 			},
 			expected: "21.0.4",
 		},
+		{
+			// there is an example of this in eclipse-temurin:8u312-b07-jdk
+			name: "FullVersion is more accurate",
+			input: &pkg.JavaVMRelease{
+				JavaVersion: "1.8.0_131",
+				FullVersion: "1.8.0_131+b08",
+			},
+			expected: "1.8.0_131+b08",
+		},
 		{
 			name:     "empty input fields",
 			input:    &pkg.JavaVMRelease{},