This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git
The following commit(s) were added to refs/heads/main by this push:
new ef0063a don't apply group:name:version logic to purl of non-Java
ecosystems
ef0063a is described below
commit ef0063a2ebb37f65bee048b253163bee74da5cf1
Author: Stefan Bodewig <[email protected]>
AuthorDate: Sat May 23 13:23:39 2026 +0200
don't apply group:name:version logic to purl of non-Java ecosystems
---
docs/component.html | 4 +++-
.../org/apache/ant/cyclonedx/ComponentBomTask.java | 25 ++++++++++++++++------
2 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/docs/component.html b/docs/component.html
index 60d1654..47f284f 100644
--- a/docs/component.html
+++ b/docs/component.html
@@ -190,7 +190,9 @@ <h4 id="sbomLink">sbomLink</h4>
group as one read from the linked SBOM, the linked component
will be ignored. Here the version is ignored, it is assumed
the component explicitly specified is the result of a process
- that resolved conflicts in dependency versions.
+ that resolved conflicts in dependency versions. Currently this
+ only applies to Components with <code>pkg:maven/</code> Package-URLs
+ as bom-ref.
</li>
</ul>
diff --git a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
index a7db29d..4c2dacd 100644
--- a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
+++ b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
@@ -229,8 +229,12 @@ public class ComponentBomTask extends Task {
} catch (IOException ex) {
throw new BuildException("failed to resolve component",
ex);
}
- knownComponents.put(getUnversionedCoordinates(c),
c.getBomRef());
- });
meta.setComponent(component.toMainCycloneDxComponent(specVersion.getVersion()));
+ String unversionedKey = getUnversionedCoordinates(c);
+ if (unversionedKey != null) {
+ knownComponents.put(unversionedKey, c.getBomRef());
+ }
+ });
+
meta.setComponent(component.toMainCycloneDxComponent(specVersion.getVersion()));
if (useComponentSupplier) {
OrganizationalEntity componentSupplier =
meta.getComponent().getSupplier();
@@ -248,9 +252,11 @@ public class ComponentBomTask extends Task {
}
for (Component c : resolvedComponents) {
- String componentKey = getUnversionedCoordinates(c);
- if (!knownComponents.containsKey(componentKey)) {
- knownComponents.put(componentKey, c.getBomRef());
+ String unversionedKey = getUnversionedCoordinates(c);
+ if (unversionedKey == null) {
+
cs.add(c.toAdditionalCycloneDxComponent(specVersion.getVersion()));
+ } else if (!knownComponents.containsKey(unversionedKey)) {
+ knownComponents.put(unversionedKey, c.getBomRef());
cs.add(c.toAdditionalCycloneDxComponent(specVersion.getVersion()));
}
}
@@ -408,7 +414,11 @@ public class ComponentBomTask extends Task {
}
private static String getUnversionedCoordinates(Component c) {
- return c.getGroup() + ":" + c.getName();
+ Map.Entry<String, String> mavenCoordinates =
extractMavenCoordinates(c.getBomRef());
+ if (mavenCoordinates == null) {
+ return null;
+ }
+ return mavenCoordinates.getKey() + ":" + mavenCoordinates.getValue();
}
private static String getUnversionedCoordinates(Component.Dependency d) {
@@ -422,6 +432,9 @@ public class ComponentBomTask extends Task {
private static Pattern MAVEN_PURL_PATTERN =
Pattern.compile("pkg:maven/([^/]+)/([^/]+)@.+\\?type=jar");
private static Map.Entry<String, String> extractMavenCoordinates(String
bomRef) {
+ if (bomRef == null) {
+ return null;
+ }
Matcher m = MAVEN_PURL_PATTERN.matcher(bomRef);
if (m.matches()) {
return new AbstractMap.SimpleImmutableEntry(m.group(1),
m.group(2));
