fix(sbom): use PURL or Group and Name in case of Java (#5154)

Author: j1nka

pkg/sbom/cyclonedx/unmarshal.go

@@ -345,7 +345,7 @@ func toPackage(component cdx.Component) (bool, ftypes.TargetType, *ftypes.Packag
 	pkg := p.Package()
 	// Trivy's marshall loses case-sensitivity in PURL used in SBOM for packages (Go, Npm, PyPI),
 	// so we have to use an original package name
-	pkg.Name = getPackageName(p.Type, component)
+	pkg.Name = getPackageName(p.Type, pkg.Name, component)
 	pkg.Ref = component.BOMRef
 
 	for _, license := range lo.FromPtr(component.Licenses) {
@@ -407,10 +407,15 @@ func toTrivyCdxComponent(component cdx.Component) ftypes.Component {
 	}
 }
 
-func getPackageName(typ string, component cdx.Component) string {
-	// Jar uses `Group` field for `GroupID`
-	if typ == packageurl.TypeMaven && component.Group != "" {
-		return fmt.Sprintf("%s:%s", component.Group, component.Name)
+func getPackageName(typ, pkgNameFromPurl string, component cdx.Component) string {
+	if typ == packageurl.TypeMaven {
+		// Jar uses `Group` field for `GroupID`
+		if component.Group != "" {
+			return fmt.Sprintf("%s:%s", component.Group, component.Name)
+		} else {
+			// use name derived from purl if `Group` doesn't exist
+			return pkgNameFromPurl
+		}
 	}
 	return component.Name
 }