Skip to content

fix: deterministic java purls#2170

Merged
willmurphyscode merged 2 commits intomainfrom
fix/deterministic-java-purls
Sep 25, 2023
Merged

fix: deterministic java purls#2170
willmurphyscode merged 2 commits intomainfrom
fix/deterministic-java-purls

Conversation

@willmurphyscode
Copy link
Copy Markdown
Contributor

@willmurphyscode willmurphyscode commented Sep 22, 2023

Previously, iterating over the map to build up a string slice of groupID candidates resulted in non-deterministic selection of the groupID. Fix that by sorting candidates, and update some integration tests that were only passing because of the issue.

There might be more discussion needed here:

  1. The comment at

    syft/syft/pkg/cataloger/java/package_url.go

    Lines 67 to 69 in 8314c0d

    groupIDS := cpe.GetManifestFieldGroupIDs(manifest, cpe.PrimaryJavaManifestGroupIDFields)
    // assumes that primaryJavaManifestNameFields are ordered by priority
    if len(groupIDS) != 0 {
    seems like it was never true, since the array order coming back from GetManifestFieldGroupIDs was non-deterministic due to iterating maps
  2. There's no reason to suppose that the lexicographically first group ID is a better choice than whatever group ID happened to win the map iteration.

Fixes #2169, but open to discussion about whether this is the right approach.

@willmurphyscode
fix: make candidate group ID list deterministic
1cd81de 
Otherwise, which PURL is generated depends on the order of key iteration
in maps.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
@willmurphyscode
chore: fix purl integ test
45f04e7 
Apparently this test was only passing because of the map iteration
fixed in the previous commit.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
@willmurphyscode willmurphyscode merged commit e34adea into main Sep 25, 2023
@willmurphyscode willmurphyscode deleted the fix/deterministic-java-purls branch September 25, 2023 13:28
@p-linnane p-linnane mentioned this pull request Sep 27, 2023
Merged
@willmurphyscode willmurphyscode mentioned this pull request Dec 7, 2023
Closed
3 tasks
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@willmurphyscode
fix: deterministic java purls (anchore#2170)
b56d9ef 
Previously, which PURL was generated depended on the order of key iteration
in maps. Also update an integ test that was apparently only passing because
of the previous issue.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Generated purls are different between runs of syft against the same image and artifact

2 participants

@willmurphyscode @spiffcs