fix: bad version string interpolation (#5421)

jeremylong · Feb 6, 2023 · 3b8fa75 · 3b8fa75
1 parent 8743f14
commit 3b8fa75
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 17 deletions.
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -593,12 +593,12 @@ public static boolean setPomEvidence(Dependency dependency, Model pom,
         }
         boolean foundSomething = false;
         boolean addAsIdentifier = true;
-        String groupid = pom.getGroupId();
-        String parentGroupId = pom.getParentGroupId();
-        String artifactid = pom.getArtifactId();
-        String parentArtifactId = pom.getParentArtifactId();
-        String version = pom.getVersion();
-        String parentVersion = pom.getParentVersion();
+        String groupid = intepolationFailCheck(pom.getGroupId());
+        String parentGroupId = intepolationFailCheck(pom.getParentGroupId());
+        String artifactid = intepolationFailCheck(pom.getArtifactId());
+        String parentArtifactId = intepolationFailCheck(pom.getParentArtifactId());
+        String version = intepolationFailCheck(pom.getVersion());
+        String parentVersion = intepolationFailCheck(pom.getParentVersion());
 
         if (("org.sonatype.oss".equals(parentGroupId) && "oss-parent".equals(parentArtifactId))
                 || ("org.springframework.boot".equals(parentGroupId) && "spring-boot-starter-parent".equals(parentArtifactId))) {
@@ -1288,6 +1288,19 @@ private boolean isPackage(String key, String value) {
 
     }
 
+    /**
+     * Returns null if the value starts with `${` and ends with `}`.
+     *
+     * @param value the value to check
+     * @return the correct value which may be null
+     */
+    private static String intepolationFailCheck(String value) {
+        if (value != null && value.contains("${")) {
+            return null;
+        }
+        return value;
+    }
+
     /**
      * Extracts the license information from the pom and adds it to the
      * dependency.

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -1283,8 +1283,7 @@ protected ExceptionCollection scanPlugins(MavenProject project, Engine engine, E
                 pluginCoordinate.setArtifactId(resolved.getArtifactId());
                 pluginCoordinate.setVersion(resolved.getVersion());
 
-                //TOOD - convert this to a packageURl instead of GAV
-                final String parent = resolved.getGroupId() + ":" + resolved.getArtifactId() + ":" + resolved.getVersion();
+                final String parent = buildReference(resolved.getGroupId(), resolved.getArtifactId(), resolved.getVersion());
                 for (Artifact artifact : resolveArtifactDependencies(pluginCoordinate, project)) {
                     exCol = addPluginToDependencies(project, engine, artifact, parent, exCol);
                 }
@@ -2789,18 +2788,23 @@ && addSnapshotReactorDependency(engine, dependencyNode.getArtifact(), project))
     }
 
     /**
-     * Try resolution of artifacts once, allowing for DependencyResolutionException due to reactor-dependencies not
-     * being resolvable.
+     * Try resolution of artifacts once, allowing for
+     * DependencyResolutionException due to reactor-dependencies not being
+     * resolvable.
      * <br>
-     * The resolution is attempted only if allResolvedDeps is still empty. The assumption is that for any given project
-     * at least one of the dependencies will successfully resolve. If not, resolution will be attempted once for every
-     * dependency (as allResolvedDeps remains empty).
+     * The resolution is attempted only if allResolvedDeps is still empty. The
+     * assumption is that for any given project at least one of the dependencies
+     * will successfully resolve. If not, resolution will be attempted once for
+     * every dependency (as allResolvedDeps remains empty).
      *
      * @param project The project to dependencies for
-     * @param allResolvedDeps The collection of successfully resolved dependencies, will be filled with the successfully
-     *                        resolved dependencies, even in case of resolution failures.
-     * @param buildingRequest The buildingRequest to hand to Maven's DependencyResolver.
-     * @throws DependencyResolverException For any DependencyResolverException other than an Eclipse Aether DependencyResolutionException
+     * @param allResolvedDeps The collection of successfully resolved
+     * dependencies, will be filled with the successfully resolved dependencies,
+     * even in case of resolution failures.
+     * @param buildingRequest The buildingRequest to hand to Maven's
+     * DependencyResolver.
+     * @throws DependencyResolverException For any DependencyResolverException
+     * other than an Eclipse Aether DependencyResolutionException
      */
     private void tryResolutionOnce(MavenProject project, List<ArtifactResult> allResolvedDeps, ProjectBuildingRequest buildingRequest) throws DependencyResolverException {
         if (allResolvedDeps.isEmpty()) { // no (partially successful) resolution attempt done