Should only check maven central if pom info is missing

[wagoodman]

Today when you enable searching for artifact and group ID from maven central with a sha1 then this is done for all java artifacts, not just ones missing artifact and group ID

grype/grype/matcher/java/matcher.go

Lines 79 to 83 in 9b7d752

	if metadata, ok := p.Metadata.(pkg.JavaMetadata); ok {
	for _, digest := range metadata.ArchiveDigests {
	if digest.Algorithm == "sha1" {
	indirectPackage, err := m.GetMavenPackageBySha(digest.Value)
	if err != nil {

. This condition should be tightened -- instead of always searching, we should only search if there is missing pom data.

[kzantow]

Should we move this functionality to Syft, as part of the family of --enrichments? Looking up package info via archive hash seems like something that would benefit both tools.

[wagoodman]

I think we should do this in both places, since there are multiple avenues. That is, agreed, this should be in syft as an opt in enrichment option. But in case you're using an non-syft SBOM or otherwise different input source with grype then we should still allow for looking up this information.

[kzantow]

This seems like one of the things that could be done strictly during an "enhancement" phase in Syft, which Grype also runs. In other words:

First, Syft scans, finds JAR files, attempts to identify using bytes available, surfaces packages with all info including SHA-1 hashes for JARs
-- OR --
Syft imports an SBOM into the internal Syft data model

Then, Syft passes found packages to enhancement

This would have to happen before compliance rules are applied.

I think this would allow Grype to essentially operate the same as it does today and allow Syft to get the benefit of updating the certain incomplete Java records.