From a76e3286c413de3dec55394fb41dd627dfee37ae Mon Sep 17 00:00:00 2001
From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date: Wed, 26 Jun 2024 12:18:20 +0600
Subject: [PATCH] fix(sbom): take pkg name from `purl` for maven pkgs (#7008)

---
 pkg/sbom/io/decode.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pkg/sbom/io/decode.go b/pkg/sbom/io/decode.go
index b740d756c4bd..7544cf215a3e 100644
--- a/pkg/sbom/io/decode.go
+++ b/pkg/sbom/io/decode.go
@@ -256,6 +256,14 @@ func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string {
 		return pkg.Name
 	}
 
+	// `maven purl type` has no restrictions on using lowercase letters.
+	// Also, `spdx-maven-plugin` uses `name` instead of `artifactId` for the `package name` field.
+	// So we need to use `purl` for maven/gradle packages
+	// See https://github.com/aquasecurity/trivy/issues/7007 for more information.
+	if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
+		return pkg.Name
+	}
+
 	// TODO(backward compatibility): Remove after 03/2025
 	// Bitnami used different pkg.Name and the name from PURL.
 	// For backwards compatibility - we need to use PURL.
@@ -265,9 +273,6 @@ func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string {
 	}
 
 	if c.Group != "" {
-		if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
-			return c.Group + ":" + c.Name
-		}
 		return c.Group + "/" + c.Name
 	}
 	return c.Name