Send composer package names with "/" separator to Trivy#6055
Send composer package names with "/" separator to Trivy#6055Abdelmonem-BEN-NACEUR wants to merge 1 commit intoDependencyTrack:masterfrom
Conversation
Like npm scoped packages before DependencyTrack#5679, composer components have a vendor/package naming convention where the vendor corresponds to the PURL namespace. The existing TrivyAnalysisTask constructs the Trivy package name as `namespace + ":" + name` for anything that is not npm or go, producing coordinates like "symfony:http-foundation" that Trivy's composer vulnerability database cannot match. Packagist indexes the package as "symfony/http-foundation" (slash), so every composer component silently yields zero vulnerabilities through the Trivy analyzer. Add COMPOSER to the set of PURL types that use "/" as the namespace separator, mirroring the fix applied to npm in DependencyTrack#5679. An integration test under TrivyAnalysisTaskTest asserts that the PutBlob request carries the composer coordinate with the expected slash separator. Signed-off-by: Abdelmonem BEN NACEUR <abdelmonemnaceur@gmail.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Duplication | 5 |
🟢 Coverage 100.00% diff coverage
Metric Results Coverage variation Report missing for 00ea12d1 Diff coverage ✅ 100.00% diff coverage (70.00%) Coverage variation details
Coverable lines Covered lines Coverage Common ancestor commit (00ea12d) Report Missing Report Missing Report Missing Head commit (1e11dd2) 24803 20107 81.07% Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch:
<coverage of head commit> - <coverage of common ancestor commit>Diff coverage details
Coverable lines Covered lines Diff coverage Pull request (#6055) 3 3 100.00% Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified:
<covered lines added or modified>/<coverable lines added or modified> * 100%1 Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
nscuro
added
defect
3 participants
Fixes #6054.
Trivy analyzer was sending composer package coordinates as
vendor:package(colon) while Packagist and the Trivy composer vulnerability database index them asvendor/package(slash). Result: every composer component silently yielded zero vulnerabilities.This PR extends the slash-separator handling in
TrivyAnalysisTaskto thecomposerPURL type, mirroring the fix applied to npm in #5679.Changes
TrivyAnalysisTask.java: addPackageURL.StandardTypes.COMPOSERto the set of PURL types that use/as the namespace/name separator when constructing the name sent to the Trivy server.TrivyAnalysisTaskTest.java: addtestAnalyzeComposerComponentUsesSlashSeparator, which captures thePutBlobrequest body and asserts that the composer coordinate is transmitted assymfony/http-foundation, notsymfony:http-foundation.Before / After
Given a single composer component
pkg:composer/symfony/http-foundation@6.4.15ingested from a CycloneDX BOM:symfony:http-foundationsymfony/http-foundationVerified end-to-end against a production Trivy server (v0.69.3) and Dependency-Track 4.14.1 + this patch applied.
Test plan
mvn test -Dtest=TrivyAnalysisTaskTestpasses, including the new test.analyzerIdentityis now set toTRIVY_ANALYZERand the expected CVE is attached to the component.