Faulty version information reported in SBOM during a local directory scan

[theold190]

While trying jbom we have noticed that it might report faulty version information. That field might contain something that looks more like a part of a file path and not version.

Here are steps to reproduce the issue using latest version of code (107a35c):

git clone https://github.com/eclipse/jbom.git
cd jbom && mvn clean verify
curl https://repo1.maven.org/maven2/org/sonarsource/scanner/api/sonar-scanner-api/2.10.0.1189/sonar-scanner-api-2.10.0.1189.jar -o sonar-scanner-api-2.10.0.1189.jar
java -jar jbom/target/jbom-1.2.2-SNAPSHOT.jar -f sonar-scanner-api-2.10.0.1189.jar

Resulting SBOM file contains next information:

  "components" : [
    {
      "name" : "sonar-scanner-api",
      "version" : "api/pom",
      "scope" : "required",
      ...
      "properties" : [
        {
          "name" : "path",
          "value" : "META-INF/maven/org.sonarsource.scanner.api/sonar-scanner-api"
        },
        {
          "name" : "archive",
          "value" : "pom.xml"
        },
        {
          "name" : "codesource",
          "value" : "<REMOVED>/sonar-scanner-api-2.10.0.1189.jar!/META-INF/maven/org.sonarsource.scanner.api/sonar-scanner-api/pom.xml"
        }
      ],
      "type" : "library",
      "bom-ref" : "null:sonar-scanner-api:api/pom"
    },

Note "version" : "api/pom" part probably was parsed from "value" : "<REMOVED>/sonar-scanner-api-2.10.0.1189.jar!/META-INF/maven/org.sonarsource.scanner.api/sonar-scanner-api/pom.xml" (between last '-' and '.xml'. Similar was seen with other jar files.

We would expect to see something similar to next instead:

      ...
      "name" : "sonar-scanner-api",
      "version" : "2.10.0.1189",
      ...

There are no warnings in the log. We see similar results even when using v1.2.1

[planetlevel]

I think you're exactly right. This is definitely a bug parsing the nested jar resource. Anyone want to take a crack at making a fix?