Gemnasium PURL type is incorrectly "gradle" when it should be "maven" in CycloneDX SBOMs

Summary

According to the PURL specification at https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst

gradle for Gradle plugins

maven for Maven JARs and related artifacts

Gemnasium is producing PURLs that use the "gradle" type for Maven JARs and related artifacts when it should be using the "maven" type. This non-compliance with the specification causes SBOM consumers, such as Trivy, to be unable to parse Gemnasium produced SBOMs: https://github.com/aquasecurity/trivy/issues/2886

Steps to reproduce

  1. git clone git@gitlab.com:candrews/gitlab-issue-example.git
  2. cd gitlab-issue-example
  3. docker run -w /app -e DS_REMEDIATE="false" -e DS_INCLUDE_DEV_DEPENDENCIES="false" -e SECURE_LOG_LEVEL=debug -e CI_PROJECT_DIR=/app -v "$(pwd)":/app:Z -it registry.gitlab.com/security-products/gemnasium-maven /analyzer sbom
  4. Examine the resulting gl-sbom-maven-gradle.cdx.json file.

Example Project

https://gitlab.com/candrews/gitlab-issue-example

What is the current bug behavior?

Components in the SBOM use the "gradle" type in the PURL value when they should the "maven" type, for example:

    {
      "name": "ch.qos.logback/logback-classic",
      "version": "1.2.11",
      "purl": "pkg:gradle/ch.qos.logback/logback-classic@1.2.11",
      "type": "library",
      "bom-ref": "pkg:gradle/ch.qos.logback/logback-classic@1.2.11"
    },

The component is an example of a "Maven JARs and related artifacts" so it should use the "maven" type per the specification. It is not a gradle plugin so the "gradle" type is definitely inappropriate.

What is the expected correct behavior?

The PURL value should use the "maven" type, for example, the aforementioned component should read:

    {
      "name": "ch.qos.logback/logback-classic",
      "version": "1.2.11",
      "purl": "pkg:maven/ch.qos.logback/logback-classic@1.2.11",
      "type": "library",
      "bom-ref": "pkg:maven/ch.qos.logback/logback-classic@1.2.11"
    },

The bom-ref should probably also be changed to match the purl.

Relevant logs and/or screenshots

$ docker run -w /app -e DS_REMEDIATE="false" -e DS_INCLUDE_DEV_DEPENDENCIES="false" -e SECURE_LOG_LEVEL=debug -e CI_PROJECT_DIR=/app -v "$(pwd)":/app:Z -it registry.gitlab.com/security-products/gemnasium-maven /analyzer sbom
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
Using java version 'adoptopenjdk-17.0.2+8'
[INFO] [gemnasium-maven] [2022-09-16T01:50:58Z] [/go/src/app/cmd/gemnasium-maven/main.go:55] ▶ GitLab gemnasium-maven analyzer v3.9.0
[DEBU] [gemnasium-maven] [2022-09-16T01:50:58Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: .
[DEBU] [gemnasium-maven] [2022-09-16T01:50:58Z] [/go/src/app/finder/finder.go:96] ▶ skip ignored directory: .git
[DEBU] [gemnasium-maven] [2022-09-16T01:50:58Z] [/go/src/app/finder/detect.go:84] ▶ electing gradle for maven because this is the first match
[INFO] [gemnasium-maven] [2022-09-16T01:50:58Z] [/go/src/app/finder/finder.go:116] ▶ Detected supported dependency files in '.'. Dependency files detected in this directory will be processed. Dependency files in other directories will be skipped.
[DEBU] [gemnasium-maven] [2022-09-16T01:50:58Z] [/go/src/app/cmd/gemnasium-maven/main.go:234] ▶ Exporting dependencies for /app/build.gradle
[DEBU] [gemnasium-maven] [2022-09-16T01:51:41Z] [/go/src/app/builder/gradle/gradle.go:85] ▶ /app/gradlew --init-script /gemnasium-gradle-plugin-init.gradle gemnasiumDumpDependencies
Downloading https://services.gradle.org/distributions/gradle-7.5-bin.zip
...........10%............20%...........30%............40%...........50%............60%...........70%............80%...........90%............100%

Welcome to Gradle 7.5!

Here are the highlights of this release:
 - Support for Java 18
 - Support for building with Groovy 4
 - Much more responsive continuous builds
 - Improved diagnostics for dependency resolution

For more details see https://docs.gradle.org/7.5/release-notes.html

Starting a Gradle Daemon (subsequent builds will be faster)

> Task :gemnasiumDumpDependencies
Writing dependency JSON to /app/gradle-dependencies.json

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.5/userguide/command_line_interface.html#sec:command_line_warnings

BUILD SUCCESSFUL in 41s
1 actionable task: 1 executed

[DEBU] [gemnasium-maven] [2022-09-16T01:51:41Z] [/go/src/app/advisory/repo.go:125] ▶ /usr/bin/git -C /gemnasium-db remote set-url origin https://gitlab.com/gitlab-org/security-products/gemnasium-db.git

[DEBU] [gemnasium-maven] [2022-09-16T01:51:42Z] [/go/src/app/advisory/repo.go:125] ▶ /usr/bin/git -C /gemnasium-db fetch --force --tags origin master
From https://gitlab.com/gitlab-org/security-products/gemnasium-db
 * branch                master         -> FETCH_HEAD
 * [new tag]             v2.0.4765      -> v2.0.4765
 * [new tag]             v2.0.4766      -> v2.0.4766
 * [new tag]             v2.0.4767      -> v2.0.4767
 * [new tag]             v2.0.4768      -> v2.0.4768
 * [new tag]             v2.0.4769      -> v2.0.4769
 * [new tag]             v2.0.4770      -> v2.0.4770
 * [new tag]             v2.0.4771      -> v2.0.4771
 * [new tag]             v2.0.4772      -> v2.0.4772
 * [new tag]             v2.0.4773      -> v2.0.4773
 * [new tag]             v2.0.4774      -> v2.0.4774
 * [new tag]             v2.0.4775      -> v2.0.4775
 * [new tag]             v2.0.4776      -> v2.0.4776
 * [new tag]             v2.0.4777      -> v2.0.4777
 * [new tag]             v2.0.4778      -> v2.0.4778
 * [new tag]             v2.0.4779      -> v2.0.4779
 * [new tag]             v2.0.4780      -> v2.0.4780
 * [new tag]             v2.0.4781      -> v2.0.4781
 * [new tag]             v2.0.4782      -> v2.0.4782
 * [new tag]             v2.0.4783      -> v2.0.4783
 t [tag update]          version_latest -> version_latest
   db6a3d5e0..589eb89c8  master         -> origin/master

[DEBU] [gemnasium-maven] [2022-09-16T01:51:42Z] [/go/src/app/advisory/repo.go:125] ▶ /usr/bin/git -C /gemnasium-db checkout master
Already on 'master'
Your branch is behind 'origin/master' by 43 commits, and can be fast-forwarded.
  (use "git pull" to update your local branch)

[DEBU] [gemnasium-maven] [2022-09-16T01:51:42Z] [/go/src/app/advisory/repo.go:138] ▶ /usr/bin/git -C /gemnasium-db symbolic-ref -q HEAD
[DEBU] [gemnasium-maven] [2022-09-16T01:51:42Z] [/go/src/app/advisory/repo.go:146] ▶ /usr/bin/git -C /gemnasium-db reset --hard origin/master
HEAD is now at 589eb89c8 Merge branch 'adbcurate/maven_io_helidon_helidon_dependencies_CVE_2021_29425_yml' into 'master'

[DEBU] [gemnasium-maven] [2022-09-16T01:51:42Z] [/go/src/app/advisory/repo.go:154] ▶ /usr/bin/git -C /gemnasium-db rev-parse HEAD
589eb89c8bbb5b7c8faed482fce6f8363a4e49ea

[INFO] [gemnasium-maven] [2022-09-16T01:51:42Z] [/go/src/app/advisory/repo.go:158] ▶ Using commit 589eb89c8bbb5b7c8faed482fce6f8363a4e49ea
 of vulnerability database

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

n/a

Results of GitLab application Check

n/a

Possible fixes

The expectations in gemnasium such as that found at https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/v3.9.0/qa/expect/java-gradle/default/gl-sbom-maven-gradle.cdx.json#L36 should be changed accordingly.