Skip to content

Fix version remediation in CDX mapping#698

Open
eranturgeman wants to merge 3 commits intojfrog:devfrom
eranturgeman:fix-normalization-in-cdx-mapping
Open

Fix version remediation in CDX mapping#698
eranturgeman wants to merge 3 commits intojfrog:devfrom
eranturgeman:fix-normalization-in-cdx-mapping

Conversation

@eranturgeman
Copy link
Contributor

@eranturgeman eranturgeman commented Mar 17, 2026
edited
Loading

  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....
  • All static analysis checks passed.
  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • Updated the Contributing page / ReadMe page / CI Workflow files if needed.
  • All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

There are 2 normalization corrections here:

  1. normalizing the returned version so we ensure it has no 'v' prefix - will be removed in future update after the api will normalize its responses
  2. the switch from strings.ReplaceAll(compName, "/", ":") to normalizeCdxComponentName(compName, compType):
    This replacement correct an incorrect behaviour that was applied to all package managers but relevant ONLY to maven. In go, for example we can have '/' in packages names, therefore switching ti ':' produce incorrect names that fail the fixes in Frogbot (cannot be found in descriptors)

@eranturgeman eranturgeman requested a review from attiasas March 17, 2026 16:23
@eranturgeman eranturgeman added ignore for release Automatically generated release notes safe to test Approve running integration tests on a pull request labels Mar 17, 2026
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Mar 17, 2026
attiasas
attiasas approved these changes Mar 17, 2026
View reviewed changes
Copy link
Collaborator

@attiasas attiasas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, preferable that either the BOM gen will use v prefix in version or remediation won't return v prefix...

@github-actions
Copy link

github-actions bot commented Mar 17, 2026

👍 Frogbot scanned this pull request and did not find any new security issues.

@eranturgeman eranturgeman added the safe to test Approve running integration tests on a pull request label Mar 18, 2026
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Mar 18, 2026
@eranturgeman eranturgeman added the safe to test Approve running integration tests on a pull request label Mar 18, 2026
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@attiasas attiasas attiasas approved these changes

Assignees

No one assigned

Labels

ignore for release Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eranturgeman @attiasas