Different CPEs between java-cataloger and java-gradle-lockfile-cataloger

[henryde]

What happened:
Generating an SBOM for the same application results in different CPEs for some artifacts depending on wether you scan the JAR or the Gradle lockfiles. This is problematic because only one version is correct (from scanning the JAR) and can be associated with a CVE by Grype.

Output from scanning JAR for an affected package (org.apache.commons/commons-text):

  {
   "id": "8c676414d80e8545",
   "name": "commons-text",
   "version": "1.8",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/app/app.jar",
     "layerID": "sha256:500cfc0fe3167917dfd7ad1ea5bb273c18b82c26a256f93a0004fbf0da01ebb7",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    "https://www.apache.org/licenses/LICENSE-2.0.txt"
   ],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:apache:commons-text:1.8:*:*:*:*:*:*:*",
    "cpe:2.3:a:apache:commons_text:1.8:*:*:*:*:*:*:*",
    "cpe:2.3:a:apache:commons:1.8:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.apache.commons/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/app/meshfed-api.jar:BOOT-INF/lib/commons-text-1.8.jar",
    "manifest": {
     "main": {
      "Automatic-Module-Name": "org.apache.commons.text",
      "Bnd-LastModified": "1567194992727",
      "Build-Jdk": "1.8.0_221",
      "Built-By": "ggregory",
      "Bundle-Description": "Apache Commons Text is a library focused on algorithms working on strings.",
      "Bundle-DocURL": "https://commons.apache.org/proper/commons-text",
      "Bundle-License": "https://www.apache.org/licenses/LICENSE-2.0.txt",
      "Bundle-ManifestVersion": "2",
      "Bundle-Name": "Apache Commons Text",
      "Bundle-SymbolicName": "org.apache.commons.commons-text",
      "Bundle-Vendor": "The Apache Software Foundation",
      "Bundle-Version": "1.8.0",
      "Created-By": "Apache Maven Bundle Plugin",
      "Export-Package": "org.apache.commons.text;version=\"1.8\",org.apache.commons.text.diff;version=\"1.8\",org.apache.commons.text.lookup;version=\"1.8\",org.apache.commons.text.matcher;version=\"1.8\",org.apache.commons.text.similarity;version=\"1.8\",org.apache.commons.text.translate;version=\"1.8\"",
      "Implementation-Title": "Apache Commons Text",
      "Implementation-URL": "https://commons.apache.org/proper/commons-text",
      "Implementation-Vendor": "The Apache Software Foundation",
      "Implementation-Vendor-Id": "org.apache.commons",
      "Implementation-Version": "1.8",
      "Import-Package": "javax.script,javax.xml.xpath,org.apache.commons.lang3,org.apache.commons.lang3.time,org.xml.sax",
      "Include-Resource": "META-INF/LICENSE.txt=LICENSE.txt,META-INF/NOTICE.txt=NOTICE.txt",
      "Manifest-Version": "1.0",
      "Require-Capability": "osgi.ee;filter:=\"(&(osgi.ee=JavaSE)(version=1.8))\"",
      "Specification-Title": "Apache Commons Text",
      "Specification-Vendor": "The Apache Software Foundation",
      "Specification-Version": "1.8",
      "Tool": "Bnd-4.1.0.201810181252"
     }
    },
    "pomProperties": {
     "path": "META-INF/maven/org.apache.commons/commons-text/pom.properties",
     "name": "",
     "groupId": "org.apache.commons",
     "artifactId": "commons-text",
     "version": "1.8"
    },
    "digest": [
     {
      "algorithm": "sha1",
      "value": "879a6bde4c0537a25504c72ec7a94ba4099f469c"
     }
    ]
   }
  },

Output for the same application from scanning the Gradle lockfile:

{
      "id": "59d209285e920005",
      "name": "commons-text",
      "version": "1.8",
      "type": "java-archive",
      "foundBy": "java-gradle-lockfile-cataloger",
      "locations": [
        {
          "path": "app/api/gradle.lockfile",
          "annotations": {
            "evidence": "primary"
          }
        }
      ],
      "licenses": [],
      "language": "java",
      "cpes": [
        "cpe:2.3:a:commons-text:commons-text:1.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:commons-text:commons_text:1.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:commons_text:commons-text:1.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:commons_text:commons_text:1.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:commons:commons-text:1.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:commons:commons_text:1.8:*:*:*:*:*:*:*"
      ],
      "purl": "",
      "metadataType": "JavaMetadata"
    }

Line from gradle.lockfile:

org.apache.commons:commons-text:1.8=compileClasspath

What you expected to happen:
CPEs should be the same regardless of cataloger.

Environment:

• Output of syft version:

Application:        syft
Version:            0.85.0
JsonSchemaVersion:  9.0.0
BuildDate:          2023-07-12T17:42:24Z
GitCommit:          4fc17edd146af34ab06f5b0443ef8ddac3aaf076
GitDescription:     v0.85.0
Platform:           linux/amd64
GoVersion:          go1.20.5
Compiler:           gc

• OS: Arch Linux (6.4.5-arch1-1)

[tgerla]

Thanks for the report, @henryde. We will move this into the backlog to investigate when we are able. If you are interested in working on this issue, the place to start would be the gradle lockfile parser: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/parse_gradle_lockfile.go#L39

[kzantow]

FWIW: It looks like there is no JavaMetadata actually being added to the packages -- the GroupID simply doesn't appear to be used... see: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/parse_gradle_lockfile.go#L51-L60