From 4278a09f59590ee16494e0a1ad31fb374f2e243f Mon Sep 17 00:00:00 2001
From: Aqua Security automated builds
<54269356+aqua-bot@users.noreply.github.com>
Date: Tue, 17 Dec 2024 22:53:44 -0700
Subject: [PATCH] fix(java): correctly overwrite version from depManagement if
dependency uses `project.*` props [backport: release/v0.58] (#8119)
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
---
pkg/dependency/parser/java/pom/parse_test.go | 46 +++++++++++++++++++
pkg/dependency/parser/java/pom/pom.go | 4 +-
.../1.7.30/example-dependency-1.7.30.pom | 18 ++++++++
.../pom.xml | 28 +++++++++++
4 files changed, 94 insertions(+), 2 deletions(-)
create mode 100644 pkg/dependency/parser/java/pom/testdata/repository/org/example/example-dependency/1.7.30/example-dependency-1.7.30.pom
create mode 100644 pkg/dependency/parser/java/pom/testdata/root-pom-dep-management-for-deps-with-project-props/pom.xml
diff --git a/pkg/dependency/parser/java/pom/parse_test.go b/pkg/dependency/parser/java/pom/parse_test.go
index eb1a7b6b9bb7..85e3e92f78fb 100644
--- a/pkg/dependency/parser/java/pom/parse_test.go
+++ b/pkg/dependency/parser/java/pom/parse_test.go
@@ -1470,6 +1470,52 @@ func TestPom_Parse(t *testing.T) {
},
},
},
+ {
+ name: "overwrite artifact version from dependencyManagement in the root POM when dependency uses `project.*` props",
+ inputFile: filepath.Join("testdata", "root-pom-dep-management-for-deps-with-project-props", "pom.xml"),
+ local: true,
+ want: []ftypes.Package{
+ {
+ ID: "com.example:root-pom-dep-management-for-deps-with-project-props:1.0.0",
+ Name: "com.example:root-pom-dep-management-for-deps-with-project-props",
+ Version: "1.0.0",
+ Relationship: ftypes.RelationshipRoot,
+ },
+ {
+ ID: "org.example:example-dependency:1.7.30",
+ Name: "org.example:example-dependency",
+ Version: "1.7.30",
+ Relationship: ftypes.RelationshipDirect,
+ Locations: ftypes.Locations{
+ {
+ StartLine: 21,
+ EndLine: 25,
+ },
+ },
+ },
+ {
+ ID: "org.example:example-api:2.0.0",
+ Name: "org.example:example-api",
+ Version: "2.0.0",
+ Licenses: []string{"The Apache Software License, Version 2.0"},
+ Relationship: ftypes.RelationshipIndirect,
+ },
+ },
+ wantDeps: []ftypes.Dependency{
+ {
+ ID: "com.example:root-pom-dep-management-for-deps-with-project-props:1.0.0",
+ DependsOn: []string{
+ "org.example:example-dependency:1.7.30",
+ },
+ },
+ {
+ ID: "org.example:example-dependency:1.7.30",
+ DependsOn: []string{
+ "org.example:example-api:2.0.0",
+ },
+ },
+ },
+ },
{
name: "transitive dependencyManagement should not be inherited",
inputFile: filepath.Join("testdata", "transitive-dependency-management", "pom.xml"),
diff --git a/pkg/dependency/parser/java/pom/pom.go b/pkg/dependency/parser/java/pom/pom.go
index 83c5d4fec609..853dd2beb281 100644
--- a/pkg/dependency/parser/java/pom/pom.go
+++ b/pkg/dependency/parser/java/pom/pom.go
@@ -245,7 +245,7 @@ func (d pomDependency) Resolve(props map[string]string, depManagement, rootDepMa
// If this dependency is managed in the root POM,
// we need to overwrite fields according to the managed dependency.
- if managed, found := findDep(d.Name(), rootDepManagement); found { // dependencyManagement from the root POM
+ if managed, found := findDep(dep.Name(), rootDepManagement); found { // dependencyManagement from the root POM
if managed.Version != "" {
dep.Version = evaluateVariable(managed.Version, props, nil)
}
@@ -264,7 +264,7 @@ func (d pomDependency) Resolve(props map[string]string, depManagement, rootDepMa
}
// Inherit version, scope and optional from dependencyManagement if empty
- if managed, found := findDep(d.Name(), depManagement); found { // dependencyManagement from parent
+ if managed, found := findDep(dep.Name(), depManagement); found { // dependencyManagement from parent
if dep.Version == "" {
dep.Version = evaluateVariable(managed.Version, props, nil)
}
diff --git a/pkg/dependency/parser/java/pom/testdata/repository/org/example/example-dependency/1.7.30/example-dependency-1.7.30.pom b/pkg/dependency/parser/java/pom/testdata/repository/org/example/example-dependency/1.7.30/example-dependency-1.7.30.pom
new file mode 100644
index 000000000000..c897c4a7d8c0
--- /dev/null
+++ b/pkg/dependency/parser/java/pom/testdata/repository/org/example/example-dependency/1.7.30/example-dependency-1.7.30.pom
@@ -0,0 +1,18 @@
+
+
+ 4.0.0
+
+ org.example
+ example-dependency
+ 1.7.30
+
+
+
+ ${project.groupId}
+ example-api
+ ${project.version}
+
+
+
+
\ No newline at end of file
diff --git a/pkg/dependency/parser/java/pom/testdata/root-pom-dep-management-for-deps-with-project-props/pom.xml b/pkg/dependency/parser/java/pom/testdata/root-pom-dep-management-for-deps-with-project-props/pom.xml
new file mode 100644
index 000000000000..3f8a6a317962
--- /dev/null
+++ b/pkg/dependency/parser/java/pom/testdata/root-pom-dep-management-for-deps-with-project-props/pom.xml
@@ -0,0 +1,28 @@
+
+ 4.0.0
+
+ com.example
+ root-pom-dep-management-for-deps-with-project-props
+ 1.0.0
+ pom
+
+
+
+
+ org.example
+ example-api
+ 2.0.0
+
+
+
+
+
+
+ org.example
+ example-dependency
+ 1.7.30
+
+
+
+