From a09799ecbbf78d1a31836a8a22b8147f9c07845a Mon Sep 17 00:00:00 2001
From: DmitriyLewen <dmitriy.lewen@smartforce.io>
Date: Tue, 25 Jun 2024 13:50:49 +0600
Subject: [PATCH 1/2] fix(bom): use `purl` for maven pkgs

---
 pkg/sbom/io/decode.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pkg/sbom/io/decode.go b/pkg/sbom/io/decode.go
index b740d756c4bd..455be25a0936 100644
--- a/pkg/sbom/io/decode.go
+++ b/pkg/sbom/io/decode.go
@@ -256,6 +256,14 @@ func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string {
 		return pkg.Name
 	}
 
+	// `maven purl type` has no restrictions on using lowercase letters.
+	// Also, `spdx-maven-plugin` uses `name` instead of `artifactId` for the `package name` field.
+	// So we need to use `purl` for maven/gradle packages
+	// See https://github.com/aquasecurity/trivy/issues/7007 for more information.
+	if c.PkgIdentifier.PURL.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
+		return pkg.Name
+	}
+
 	// TODO(backward compatibility): Remove after 03/2025
 	// Bitnami used different pkg.Name and the name from PURL.
 	// For backwards compatibility - we need to use PURL.
@@ -265,9 +273,6 @@ func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string {
 	}
 
 	if c.Group != "" {
-		if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
-			return c.Group + ":" + c.Name
-		}
 		return c.Group + "/" + c.Name
 	}
 	return c.Name

From dc4dc54a7ec662f1987d4c9c6db96ba0bf08e2d0 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <dmitriy.lewen@smartforce.io>
Date: Tue, 25 Jun 2024 14:03:01 +0600
Subject: [PATCH 2/2] refactor

---
 pkg/sbom/io/decode.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/sbom/io/decode.go b/pkg/sbom/io/decode.go
index 455be25a0936..7544cf215a3e 100644
--- a/pkg/sbom/io/decode.go
+++ b/pkg/sbom/io/decode.go
@@ -260,7 +260,7 @@ func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string {
 	// Also, `spdx-maven-plugin` uses `name` instead of `artifactId` for the `package name` field.
 	// So we need to use `purl` for maven/gradle packages
 	// See https://github.com/aquasecurity/trivy/issues/7007 for more information.
-	if c.PkgIdentifier.PURL.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
+	if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
 		return pkg.Name
 	}