PURL is not deterministic in java-archive cataloger

[TimBrown1611]

What happened:
When i scan a file (.war) I get different results each scan. A jar with multiple pom.xml can result in, for example:

pkg:maven/org.glassfish.jaxb/jaxb-core@2.2.11
pkg:maven/com.sun.xml.bind/jaxb-core@2.2.11

What you expected to happen:
same result each time

Steps to reproduce the issue:
Repeatedly scan webgoat/webgoat container or JAR releases

Anything else we need to know?:
it impacts the number of results I get from syft.

Environment:

• Output of syft version: 1.17.0
• OS (e.g: cat /etc/os-release or similar): mac

[willmurphyscode]

@TimBrown1611 can you confirm that this is still happening? There has been some work in Syft to make the JAR/WAR cataloging more deterministic. If it is still happening, can you share some links to public Maven packages that we should install to reproduce it, or give us some more details?

I think what you mean above is that sometimes the group ID for jaxb-core is org.glassfish.jaxb and sometimes it is com.sun.xml.bind?

If you find that this is still happening, please let us know!

[kzantow]

Hey @TimBrown1611 -- if this is still an issue, are you able to provide a way to reproduce the problem?

[ariel-miculas]

@kzantow , Scanning webgoat gives me the following entry which I think incorrectly identifies the group ID as org.glassfish.jaxb:

$ syft --version
syft 1.29.0

$ syft scan webgoat/webgoat -o syft-json=webgoat-syft.json

  {
    "id": "d052f4f6c000c5ac",
    "name": "jaxb-core",
    "version": "4.0.5",
    "type": "java-archive",
    "foundBy": "java-archive-cataloger",
    "locations": [
      {
        "path": "/home/webgoat/webgoat.jar",
        "layerID": "sha256:8dd01ff157deb045769a969cd4f982917d46665363e21a917f67f0dfc164ce75",
        "accessPath": "/home/webgoat/webgoat.jar:BOOT-INF/lib/com.sun.xml.bind-jaxb-core-4.0.5.jar",
        "annotations": {
          "evidence": "primary"
        }
      }
    ],
    "licenses": [
      {
        "value": "http://www.eclipse.org/org/documents/edl-v10.php",
        "spdxExpression": "",
        "type": "declared",
        "urls": [],
        "locations": [
          {
            "path": "/home/webgoat/webgoat.jar",
            "layerID": "sha256:8dd01ff157deb045769a969cd4f982917d46665363e21a917f67f0dfc164ce75",
            "accessPath": "/home/webgoat/webgoat.jar:BOOT-INF/lib/com.sun.xml.bind-jaxb-core-4.0.5.jar",
            "annotations": {
              "evidence": "primary"
            }
          }
        ]
      }
    ],
    "language": "java",

  ...

    "purl": "pkg:maven/org.glassfish.jaxb/jaxb-core@4.0.5",
    "metadataType": "java-archive",
    "metadata": {
      "virtualPath": "/home/webgoat/webgoat.jar:BOOT-INF/lib/com.sun.xml.bind-jaxb-core-4.0.5.jar",

   ...

      "pomProperties": {
        "path": "META-INF/maven/org.glassfish.jaxb/jaxb-core/pom.properties",
        "name": "",
        "groupId": "org.glassfish.jaxb",
        "artifactId": "jaxb-core",
        "version": "4.0.5"
      },
      "digest": [
        {
          "algorithm": "sha1",
          "value": "ad427d8777ae2495bfcb37069d611e8379867e6d"
        }
      ]
    }
  },

According to maven central the group should be com.sun.xml.bind, which we can also see from the accessPath and virtualPath.

[ariel-miculas]

It seems there are two jaxb-core/pom.properties files in /home/webgoat/webgoat.jar:BOOT-INF/lib/com.sun.xml.bind-jaxb-core-4.0.5.jar:

META-INF/maven/org.glassfish.jaxb/jaxb-core/pom.properties
META-INF/maven/org.glassfish.jaxb/jaxb-core/pom.xml

and

META-INF/maven/com.sun.xml.bind/jaxb-core/pom.properties
META-INF/maven/com.sun.xml.bind/jaxb-core/pom.xml

So maybe this is the source of confusion.

[kzantow]

Thanks @ariel-miculas! I'm trying to determine a few things here, all in service of providing the most accurate analysis.

I would very much like to understand what the right results are. Looking in the jar mentioned (com.sun.xml.bind-jaxb-core-4.0.5.jar), I see:

META-INF/
  maven/
    com.sun.xml.bind/
      jaxb-core/ (poms)
    org.glassfish.jaxb/
      txw2/ (poms)
      jaxb-core/ (poms)
    com.sun.istack/
      istack-commons-runtime/ (poms)

Should we be reporting ALL packages from each pom.xml / pom.properties? Can someone point to documentation about what poms are included in JARs? are these always when classes are present in the JAR, maybe due to shading? Is there a reliable way to know this, especially in the event certain dependencies are shaded at different classpaths and we can't necessarily even look at the directory structure to match?

And secondarily, if we were to say "this JAR is package X", how could we determine it should be com.sun.xml.bind:jaxb-core, in this particular case both group and artifact ID are in the filename, so we could test both of these, whereas today we are only testing the name, and because jaxb-core is present in the filename when testing org.glassfish.jaxb, this is considered to be a filename match. But many JARs don't have both groupID and artifactID in the name, could anyone explain the most accurate way to identify the primary package?

[kzantow]

I was able to reproduce the nondeterministic behavior scanning the WebGoat jar, as I've updated in the description. I fixed this and implemented another improvement in the identification logic to also account for the groupID, which should help the particular case noted in the comments relating to the com.sun.xml.bind artifact, but may not be especially useful outside of this edge case. Please do let me know if there are any other ideas to improve this!

[ariel-miculas]

A side effect of this issue is that some java packages appear twice. E.g., jaxb-core:

    {
      "id": "d052f4f6c000c5ac",
      "name": "jaxb-core",
      "version": "4.0.5",
      "type": "java-archive",
      "foundBy": "java-archive-cataloger",
      "locations": [
        {
          "path": "/home/webgoat/webgoat.jar",
          "layerID": "sha256:8dd01ff157deb045769a969cd4f982917d46665363e21a917f67f0dfc164ce75",
          "accessPath": "/home/webgoat/webgoat.jar:BOOT-INF/lib/com.sun.xml.bind-jaxb-core-4.0.5.jar",
          "annotations": {
            "evidence": "primary"
          }
        }
      ],
      "licenses": [
        {
          "value": "http://www.eclipse.org/org/documents/edl-v10.php",
          "spdxExpression": "",
          "type": "declared",
          "urls": [],
          "locations": [
            {
              "path": "/home/webgoat/webgoat.jar",
              "layerID": "sha256:8dd01ff157deb045769a969cd4f982917d46665363e21a917f67f0dfc164ce75",
              "accessPath": "/home/webgoat/webgoat.jar:BOOT-INF/lib/com.sun.xml.bind-jaxb-core-4.0.5.jar",
              "annotations": {
                "evidence": "primary"
              }
            }
          ]
        }
      ],
      "language": "java",

    {
      "id": "64e29342c9699db3",
      "name": "jaxb-core",
      "version": "4.0.5",
      "type": "java-archive",
      "foundBy": "java-archive-cataloger",
      "locations": [
        {
          "path": "/home/webgoat/webgoat.jar",
          "layerID": "sha256:8dd01ff157deb045769a969cd4f982917d46665363e21a917f67f0dfc164ce75",
          "accessPath": "/home/webgoat/webgoat.jar:BOOT-INF/lib/org.glassfish.jaxb-jaxb-core-4.0.5.jar",
          "annotations": {
            "evidence": "primary"
          }
        }
      ],
      "licenses": [
        {
          "value": "http://www.eclipse.org/org/documents/edl-v10.php",
          "spdxExpression": "",
          "type": "declared",
          "urls": [],
          "locations": [
            {
              "path": "/home/webgoat/webgoat.jar",
              "layerID": "sha256:8dd01ff157deb045769a969cd4f982917d46665363e21a917f67f0dfc164ce75",
              "accessPath": "/home/webgoat/webgoat.jar:BOOT-INF/lib/org.glassfish.jaxb-jaxb-core-4.0.5.jar",
              "annotations": {
                "evidence": "primary"
              }
            }
          ]
        }
      ],
      "language": "java",

Other duplicate packages detected by scanning webgoat: txw2, jaxb-runtime, istack-commons-runtime.
Is this expected behavior given the fact that it's the same cataloger that's reporting these?