Ensure accurate java main artifact name retrieval for multi-JARs and refine fallback approach #3054
Conversation
dor-hayun
changed the title
dor-hayun
changed the title
|
Thanks for the contribution @dor-hayun! I think for us to accept this we need to check on some of the downstream implications here and see if it changes any of our fixtures in vulnerability testing for the better. Also, let me see about adding a test or two that can show the kind of behavior this prevents. Do you have an current cases you're running into that would serve as a good example? |
|
HI @spiffcs , and then you can check what happens for 'jansi' package, it is the main artifact, you can see that there are 10 pom properties found inside the jar and my fix is to ensure Correctly retrieving the main package name when the main POM file is present. 
|
|
Hey, @dor-hayun. It looks like I made a change that conflicts with this one a bit. Would you want to rebase this PR? Or I could push an update, if you don't mind. |
|
@kzantow i'm rebasing it |
…IDMatchesFilename' - Correct retrieval of package name when main POM file exists - Address issue where wrong package name was retrieved for certain jars - Example case: 'jansi' jar containing multiple jars like 'jansi-win32' - Ensure true is returned when filename matches the artifact ID, prevent random retrieval by checking prefix and suffix - Use fallback check with suffix and prefix if no POM properties file matches the exact artifact name Signed-off-by: dor-hayun <dor.hayun@mend.io>
dor-hayun
force-pushed
the
fix-java-archive-parser
branch
from
77f6fb6
to
a21d722
Compare
Improving Accuracy of Package Name Retrieval in Java Archives
This section outlines enhancements to accurately retrieve the main package artifact names and their corresponding SHA1 values. It focuses on resolving issues where incorrect package names were being retrieved, especially for JAR files with multiple internal JARs. The improvements include: