Skip to content

Commit

Permalink
fix(sbom): take pkg name from purl for maven pkgs (aquasecurity#7008)
Browse files Browse the repository at this point in the history
  • Loading branch information
DmitriyLewen authored and skahn007gl committed Jul 23, 2024
1 parent 370ab34 commit ebac4bd
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions pkg/sbom/io/decode.go
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,14 @@ func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string {
return pkg.Name
}

// `maven purl type` has no restrictions on using lowercase letters.
// Also, `spdx-maven-plugin` uses `name` instead of `artifactId` for the `package name` field.
// So we need to use `purl` for maven/gradle packages
// See https://github.com/aquasecurity/trivy/issues/7007 for more information.
if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
return pkg.Name
}

// TODO(backward compatibility): Remove after 03/2025
// Bitnami used different pkg.Name and the name from PURL.
// For backwards compatibility - we need to use PURL.
Expand All @@ -265,9 +273,6 @@ func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string {
}

if c.Group != "" {
if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
return c.Group + ":" + c.Name
}
return c.Group + "/" + c.Name
}
return c.Name
Expand Down

0 comments on commit ebac4bd

Please sign in to comment.