Get purl url from maven dependency

[savujevi]

What would you like to be added:

I use syft to create a sbom.xml to import in dependency-track.

The sbom.xml is create from a java maven project. There are maven dependenies inlcuded like:

<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>5.5.2</version> </dependency>

As I understand from debugging the source is that to create a purl url I need a pom.properties or pom.xml in the jar file of spring-security-core.

But there is no pom.properties or pom.xml in the spring-security-core.jar from maven central.

Is there a way to create the purl url via syft anyway ?

Thanks for your help.

Best regards Sascha Vujevic

Why is this needed:

I would like to see vulnerabilities in dependency track of all dependencies used in my maven project.

Additional context:

[spiffcs]

Thanks @savujevi for the issue!

Syft now has functionality where you can enable fetching metadata from upstream maven. Let me know if this fills out the PURL you're looking for on the latest version of syft.

If not just tag me back here and I'll investigate further.

[VariableExp0rt]

Hey @spiffcs, how would one enable fetching metadata from upstream maven? I am attempting to create an SBOM for a maven project but the installed versions can never be identified. Thanks in advance!

[spiffcs]

Apologies @VariableExport I totally misspoke on this feature existing in syft: TLDR - we're looking to move this kind of discovery into syft.

https://github.com/anchore/grype/blob/d5b825e40bbfc4696e7220c94c9f4469466e305e/grype/matcher/java/matcher.go ^ Here is a snippet of how grype uses Maven to enhance sha data to provide better matches

I'll follow up on this thread when we have a better external sources story for providing a more correct SBOM from syft =)