wrong purl for spring-ldap-core dependency #4030
Description
What happened:
running a scan from within my maven java project:
syft dir:. --exclude ./**/sbom.*.json --output cyclonedx-json@1.5=target/sbom.cyclonedx.test.json
Using the spring-boot-starter-data-ldap dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-ldap</artifactId>
<version>3.1.10</version>
</dependency>
The generated SBOM contains the following:
{
"bom-ref": "pkg:maven/spring-ldap-core/spring-ldap-core@3.1.4?package-id=e3cc078e347e7e48",
"cpe": "cpe:2.3:a:spring-ldap-core:spring-ldap-core:3.1.4:*:*:*:*:*:*:*",
"externalReferences": [
{
"hashes": [
{
"alg": "SHA-1",
"content": "1ea0d8dc80914ac30a5fb702246ed89d90dca0eb"
}
],
"type": "build-meta",
"url": ""
}
],
"name": "spring-ldap-core",
"properties": [
{
"name": "syft:package:foundBy",
"value": "java-archive-cataloger"
},
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:package:metadataType",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring-ldap-core:spring_ldap_core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_ldap_core:spring-ldap-core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_ldap_core:spring_ldap_core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring-ldap:spring-ldap-core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring-ldap:spring_ldap_core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_ldap:spring-ldap-core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_ldap:spring_ldap_core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring:spring-ldap-core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring:spring_ldap_core:3.1.4:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/target/backend-1.0.8-SNAPSHOT.jar"
},
{
"name": "syft:metadata:virtualPath",
"value": "/target/backend-1.0.8-SNAPSHOT.jar:BOOT-INF/lib/spring-ldap-core-3.1.4.jar"
}
],
"purl": "pkg:maven/spring-ldap-core/spring-ldap-core@3.1.4",
"type": "library",
"version": "3.1.4"
},
When running grype, I would expect the following vulnerability to be found, but it is not reported.
spring-ldap-core 3.1.4 3.2.8 java-archive GHSA-mqvr-2rp8-j7h4 Medium 15.82 < 0.1
What you expected to happen:
I would have expected the vulnerability to be reported.
Steps to reproduce the issue:
See above.
Anything else we need to know?:
The problem is that the purl is incomplete.
The purl above is:
"purl": "pkg:maven/spring-ldap-core/spring-ldap-core@3.1.4",
When I change it to the following, it works as expected:
"purl": "pkg:maven/org.springframework.ldap/spring-ldap-core@3.1.4",
I have added in ~/.config/syft the following config.yaml:
java:
use-network: true
use-maven-local-repository: true
maven-url: 'https://<dns name of our nexus repository>/repository/maven-public/'
Environment:
- Output of
syft version: syft 1.27.1 - OS (e.g:
cat /etc/os-releaseor similar):
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy