I have seen a couple of somewhat related issues but wanted to ask specifically. As best I can read the java archive parser it looks for pom.properties and pom.xml and only uses the pom.xml (project) if the properties file exists and aligns.
I many of the io.micronaut jar files there is only a pom.xml and the manfest entries lead to wrong group id being used.
I took a stab at a fix but really struggling with getting a test case to pass and it does feel very specific to a single pom.xml when there are also uber jars with many pom.xml files indicating the combined contents.
Just looking for guidance. I did also look at syft/pkg/cataloger/internal/cpegenerate/java_groupid_map.go but believe processing the xml is better then adding hundreds entries to that map.
Just so I understand, the problem you’re encountering: a JAR file with a pom.xml present but a pom.propertiesnot present, you are having trouble getting a test case recognizing the jar, but your testing seems to have correct behavior when running syft directly?
I agree we should use pom.xml if that’s the only thing we find.
That is it. My test of the fix identifies correctly but I believe I need some additional work to have the pom.xml captured as the metadata data used for identification.
,