Skip to content

fix(java): improve lz4 detection#4642

Merged
kzantow merged 2 commits intoanchore:mainfrom
xnox:fix-lz4
Feb 27, 2026
Merged

fix(java): improve lz4 detection#4642
kzantow merged 2 commits intoanchore:mainfrom
xnox:fix-lz4

Conversation

@xnox
Copy link
Contributor

@xnox xnox commented Feb 26, 2026
edited
Loading

Improve lz4 detection.

Before:

$ syft --output purls /tmp/test-syft/ 2>/dev/null
pkg:maven/org.lz4.java/lz4-java@1.8.0

After:

$ ./syft-cli --output purls /tmp/test-syft/ 2>/dev/null
pkg:maven/org.lz4/lz4-java@1.8.0

And it now has intented effect with grype:

$ syft --output purls /tmp/test-syft/ 2>/dev/null | grype
No vulnerabilities found

$ ./syft-cli --output purls /tmp/test-syft/ 2>/dev/null | grype
NAME      INSTALLED  FIXED IN  TYPE          VULNERABILITY        SEVERITY  EPSS           RISK
lz4-java  1.8.0                java-archive  GHSA-cmp6-m4wj-q63q  High      < 0.1% (21st)  < 0.1
lz4-java  1.8.0      1.8.1     java-archive  GHSA-vqf4-7m7x-wgfc  High      < 0.1% (20th)  < 0.1

Fixes: #4611
Fixes: anchore/grype#3205

@xnox
fix(java): improve lz4 detection
e114614 
Improve lz4 detection.

Before:
```
$ syft --output purls /tmp/test-syft/ 2>/dev/null
pkg:maven/org.lz4.java/lz4-java@1.8.0
```

After:
```
$ ./syft-cli --output purls /tmp/test-syft/ 2>/dev/null
pkg:maven/org.lz4/lz4-java@1.8.0
```

And it now has intented effect with grype:

```
$ syft --output purls /tmp/test-syft/ 2>/dev/null | grype
No vulnerabilities found

$ ./syft-cli --output purls /tmp/test-syft/ 2>/dev/null | grype
NAME      INSTALLED  FIXED IN  TYPE          VULNERABILITY        SEVERITY  EPSS           RISK
lz4-java  1.8.0                java-archive  GHSA-cmp6-m4wj-q63q  High      < 0.1% (21st)  < 0.1
lz4-java  1.8.0      1.8.1     java-archive  GHSA-vqf4-7m7x-wgfc  High      < 0.1% (20th)  < 0.1
```

Fixes: anchore#4611
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
kzantow
kzantow reviewed Feb 27, 2026
View reviewed changes
@kzantow
fix: specific groupId corrections for java when generating CPE and PURL
f329333 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
xnox
xnox commented Feb 27, 2026
View reviewed changes
Copy link
Contributor Author

@xnox xnox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with prejudice.

@kzantow kzantow merged commit 35278f3 into anchore:main Feb 27, 2026
10 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Mar 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kzantow kzantow kzantow left review comments

@willmurphyscode willmurphyscode willmurphyscode approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@xnox @kzantow @willmurphyscode