Handle identified JAR Packages from pkg:osgi/ and pkg:jar/ to pkg:maven/

[chinyeungli]

Certain jar packages are identified as pkg:osgi/ or pkg:jar/ instead of pkg:maven/.

For example:

• purl: pkg:osgi/[email protected]
  name: org.eclipse.sisu.plexus-0.3.5.jar
  download_url: https://repo1.maven.org/maven2/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.5/org.eclipse.sisu.plexus-0.3.5.jar

• purl: pkg:jar/[email protected]
  name: spring-aop-6.0.18.jar
  download_url: https://repo1.maven.org/maven2/org/springframework/spring-aop/6.0.18/spring-aop-6.0.18.jar

This discrepancy may arise because these jars lack a pom.xml file.
However, from the VCIO perspective, the purl should be converted to pkg:maven/
i.e.

pkg:maven/org.eclipse.sisu/[email protected]
pkg:maven/org.springframework/[email protected]

[AyanSinhaMahapatra]

See comment at aboutcode-org/scancode-toolkit#3962 (comment) too. This is a duplicate.

It is not possible to convert pkg:jar/[email protected] to pkg:maven/org.springframework/[email protected] easily because of 2 things:

1. We don't have any mention of the namespace org.springframework anywhere in the jar
2. In both cases of osgi or jar, we cannot safely assume this is a maven package.

This is an inherant issue of the osgi ecosystem, and maven jars which don't have pom.xml files inside.

Only way to get to the packages in maven is looking for packages with the same name(might be possible to have this as a script?) /some targeted matching, but it's hard to automate this and make it work for all packages like this even then, or have this as a general functionality in the main package scanner.

From a discussion on the same thread with @pombredanne :

pkg:jar is not a valid PURL type at all, so this is not valid packageURL. We might need to track these in a different way (we still need to detect this as a package instance, and assign files to it):

1. Some attribute in the package to mark this is an unknown package (means we cannot create a download URL/reach the packages/data from the purl)
2. Have a new unknown type in purl

[mjherzog]

For the springframework example we actually do have org/springframework/aop in the classpath, but classpath would be problematic for an uber-JAR or SpringBoot JAR.
We probably need to create separate issues for pkg:jar and pkg:osgi since the context is very different.

• For pkg:jar, the problem is similar to licensing where we created some placeholder license-keys to fill in the detected _license fields when we cannot detect a license. So pkg:unknown seems like best solution, but the question is where to provide the clues we do have in the Scan output. In SCIO we have MESSAGES where we have posted similar information for "unknown" packages, but I am not sure whether we have the MESSAGES data in the SCTK
• For pkg:osgi, do we want to propose this as a PURL type?. My understanding is that osgi bundles are used extensively in the Eclipse ecosystem and project like Apache Aries, but are not getting wide adoption.