Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Empty version field on some dependencies when reading pom.xml #1129

Closed
willyw0nka opened this issue Aug 1, 2022 · 11 comments · Fixed by #2769 · May be fixed by #2669
Closed

Empty version field on some dependencies when reading pom.xml #1129

willyw0nka opened this issue Aug 1, 2022 · 11 comments · Fixed by #2769 · May be fixed by #2669
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@willyw0nka
Copy link

What happened:
Syft does not detect the current version of some dependencies when scanning a maven project.

What you expected to happen:
Syft shows the current version of every package listed on pom.xml when scanning a maven project.

How to reproduce it (as minimally and precisely as possible):
On a maven project with some dependencies run syft dir:.. The output of the command is the following:

 ✔ Indexed .
 ✔ Cataloged packages      [31 packages]
NAME                                     VERSION                TYPE
commons-codec                            20041127.091804        java-archive
commons-io                               2.7                    java-archive
commons-validator                        1.7                    java-archive
gson                                     2.8.9                  java-archive
h2                                       2.1.212                java-archive
joda-time                                2.10.14                java-archive
json                                     20220320               java-archive
junit-jupiter-api                                               java-archive
junit-jupiter-engine                                            java-archive
kafka-clients                            6.2.0-ccs              java-archive
kafka-streams                            6.2.0-ccs              java-archive
kafka-streams-test-utils                 6.2.0-ccs              java-archive
kotlin-maven-allopen                     ${kotlin.version}      java-archive
maven-wrapper                            0.5.5                  java-archive
micrometer-registry-prometheus           ${micrometer.version}  java-archive
mockk                                    ${io.mockk.version}    java-archive
opentracing-kafka-spring                 0.1.15                 java-archive
opentracing-kafka-streams                0.1.15                 java-archive
opentracing-mock                         0.33.0                 java-archive
opentracing-spring-cloud-starter         0.5.9                  java-archive
opentracing-spring-jaeger-cloud-starter  3.3.1                  java-archive
spring-boot-starter-actuator                                    java-archive
spring-boot-starter-aop                                         java-archive
spring-boot-starter-data-jpa                                    java-archive
spring-boot-starter-data-mongodb                                java-archive
spring-boot-starter-security                                    java-archive
spring-boot-starter-test                                        java-archive
spring-boot-starter-web                                         java-archive
spring-kafka                             2.8.5                  java-archive
spring-security-test                                            java-archive

Anything else we need to know?:
I also tried running syft dir:. -o json to check if the issue was with one specific report format. The version field on some dependencies is also empty (example below).

  {
   "id": "9e8b166654978e40",
   "name": "spring-boot-starter-test",
   "version": "",
   "type": "java-archive",
   "foundBy": "java-pom-cataloger",
   "locations": [
    {
     "path": "pom.xml"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:spring-boot-starter-test:spring-boot-starter-test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot-starter-test:spring_boot_starter_test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot_starter_test:spring-boot-starter-test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot_starter_test:spring_boot_starter_test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot-starter:spring-boot-starter-test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot-starter:spring_boot_starter_test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot_starter:spring-boot-starter-test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot_starter:spring_boot_starter_test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot:spring-boot-starter-test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot:spring_boot_starter_test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot:spring-boot-starter-test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot:spring_boot_starter_test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring:spring-boot-starter-test:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring:spring_boot_starter_test:*:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-test",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": ""
   }
  }

Environment:

  • Output of syft version: 
    Application:        syft
Version:            0.52.0
JsonSchemaVersion:  3.3.1
BuildDate:          2022-07-21T13:50:51Z
GitCommit:          ba9adb17ebb510a2a3bd2b641738b1d9235e1f3e
GitDescription:     v0.52.0
Platform:           linux/amd64
GoVersion:          go1.18.3
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar): Tested on Ubuntu 20.04.4 LTS using WSL on top of Windows 11
@willyw0nka willyw0nka added the bug Something isn't working label Aug 1, 2022
@spiffcs spiffcs added this to OSS Aug 1, 2022
@bsoroushian
Copy link

Related to the same issue we see that versions provided as parameter in the pom.xml are not evaluated.

For example we see results like:

syft dir:.
 ✔ Indexed .               
 ✔ Cataloged packages      [21 packages]
NAME                               VERSION                       TYPE         
axios                              ${webjars-axios.version}      java-archive  
bootstrap                          ${webjars-bootstrap.version}  java-archive  
d3-cloud                           ${webjars-d3cloud.version}    java-archive  
h2                                                               java-archive  
jquery                             ${webjars-jquery.version}     java-archive  
kuromoji-ipadic                    ${kuromoji.version}           java-archive  
maven-wrapper                      3.1.0                         java-archive  
p6spy                              ${p6spy.version}              java-archive  
postgresql                                                       java-archive  
spring-boot-starter-data-jpa                                     java-archive  
spring-boot-starter-oauth2-client                                java-archive  
spring-boot-starter-security                                     java-archive  
spring-boot-starter-test                                         java-archive  
spring-boot-starter-thymeleaf                                    java-archive  
spring-boot-starter-web                                          java-archive  
spring-cloud-starter-sleuth                                      java-archive  
spring-security-test                                             java-archive  
thymeleaf-extras-springsecurity5                                 java-archive  
twitter-api-java-sdk               ${twitter.sdk.version}        java-archive  
wavefront-spring-boot-starter                                    java-archive  
webjars-locator-core                                             java-archive

while in pom.xml the version for parameterized components are provided:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>jp.vmware.tanzu</groupId>
    <artifactId>twitter-wordcloud-demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>twitter-wordcloud-demo</name>
    <description>twitter-wordcloud-demo</description>
    <properties>
        <java.version>11</java.version>
        <spring-cloud.version>2021.0.3</spring-cloud.version>
        <wavefront.version>2.3.0</wavefront.version>
        <p6spy.version>3.9.1</p6spy.version>
        <twitter.sdk.version>2.0.2</twitter.sdk.version>
        <kuromoji.version>0.9.0</kuromoji.version>
        <!-- Web dependencies -->
        <webjars-bootstrap.version>5.2.0</webjars-bootstrap.version>
        <webjars-jquery.version>3.6.0</webjars-jquery.version>
        <webjars-d3js.version>7.6.1</webjars-d3js.version>
        <webjars-d3cloud.version>1.2.5</webjars-d3cloud.version>
        <webjars-axios.version>0.27.2</webjars-axios.version>
    </properties>
...
...

@wagoodman
Copy link
Contributor

I attempted to reproduce this without luck from the portion, can you provide the full pom.xml?

@willyw0nka
Copy link
Author

Hi @wagoodman 👋, thank you for showing interest on this issue.

Further investigation leaded to some findings. As @bsoroushian mentioned, parametrized versions are not evaluated when grype reads pom.xml. Other packages that dont carry a version tag in the generated pom.xml are also problematic as syft shows version field as an empty string.

This syft execution shows both problems

$ syft packages file:pom.xml 
 ✔ Indexed pom.xml         
 ✔ Cataloged packages      [33 packages]
NAME                                     VERSION                       TYPE         
commons-codec                            1.14                          java-archive  
commons-io                               2.7                           java-archive  
easy-random-core                         ${easy-random-core.version}   java-archive  
easy-random-randomizers                  ${easy-random-core.version}   java-archive  
gson                                     2.8.9                         java-archive  
guava                                    31.1-jre                      java-archive  
h2                                       2.1.214                       java-archive  
jackson-module-kotlin                    2.13.3                        java-archive  
joda-time                                2.10.14                       java-archive  
json                                     20220320                      java-archive  
junit-jupiter-api                                                      java-archive  
junit-jupiter-engine                                                   java-archive  
kafka-clients                            6.2.0-ccs                     java-archive  
kafka-json-serializer                    6.2.0                         java-archive  
kafka-streams                            6.2.0-ccs                     java-archive  
kafka-streams-test-utils                 6.2.0-ccs                     java-archive  
kotlin-maven-allopen                     ${kotlin.version}             java-archive  
kotlin-reflect                           ${kotlin.version}             java-archive  
kotlin-stdlib                            ${kotlin.version}             java-archive  
micrometer-registry-prometheus           ${micrometer.version}         java-archive  
mockk                                    ${io.mockk.version}           java-archive  
opentracing-spring-cloud-starter         0.5.9                         java-archive  
opentracing-spring-jaeger-cloud-starter  3.3.1                         java-archive  
spring-boot-starter-actuator                                           java-archive  
spring-boot-starter-data-jpa                                           java-archive  
spring-boot-starter-data-mongodb                                       java-archive  
spring-boot-starter-security                                           java-archive  
spring-boot-starter-test                                               java-archive  
spring-boot-starter-web                                                java-archive  
spring-cloud-starter-openfeign                                         java-archive  
spring-security-test                                                   java-archive  
springdoc-openapi-kotlin                 ${springdoc-openapi.version}  java-archive  
springdoc-openapi-ui                     ${springdoc-openapi.version}  java-archive

the output shown avobe was created scanning the following pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.org.services</groupId>
    <artifactId>product-name</artifactId>
    <version>1.0.0</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.2</version>
        <relativePath/>
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <spring.framework.version>5.3.1.RELEASE</spring.framework.version>
        <java.version>11</java.version>
        <sonar.coverage.exclusions>
            **/configuration/**/*,
            **/exception/**/*,
            **/model/**/*,
            **/ConstantsUtils.kt,
            **/Application.kt,
        </sonar.coverage.exclusions>
        <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
        <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
        <sonar.jacoco.reportPaths>${basedir}/target/jacoco.exec</sonar.jacoco.reportPaths>
        <sonar.language>kotlin</sonar.language>
        <jacoco.version>0.8.7</jacoco.version>
        <springdoc-openapi.version>1.6.9</springdoc-openapi.version>
        <micrometer.version>1.9.3</micrometer.version>
        <kotlin.version>1.7.10</kotlin.version>
        <io.mockk.version>1.10.3</io.mockk.version>
        <kotlin.compiler.incremental>true</kotlin.compiler.incremental>
        <dokka.version>1.6.21</dokka.version>
        <openfeign.version>3.0.6</openfeign.version>
        <openfeign.core.version>2.2.6.RELEASE</openfeign.core.version>
        <easy-random-core.version>5.0.0</easy-random-core.version>
    </properties>

    <repositories>
        <repository>
            <id>confluent</id>
            <url>https://packages.confluent.io/maven/</url>
        </repository>
    </repositories>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2021.0.3</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>


    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-mongodb</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springdoc</groupId>
            <artifactId>springdoc-openapi-ui</artifactId>
            <version>${springdoc-openapi.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springdoc</groupId>
            <artifactId>springdoc-openapi-kotlin</artifactId>
            <version>${springdoc-openapi.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>31.1-jre</version>
        </dependency>

        <dependency>
            <groupId>io.micrometer</groupId>
            <artifactId>micrometer-registry-prometheus</artifactId>
            <version>${micrometer.version}</version>
        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <version>2.1.214</version>
        </dependency>
        <dependency>
            <groupId>commons-codec</groupId>
            <artifactId>commons-codec</artifactId>
            <version>1.14</version>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
            <version>2.7</version>
        </dependency>
        <dependency>
            <groupId>org.json</groupId>
            <artifactId>json</artifactId>
            <version>20220320</version>
        </dependency>
        <dependency>
            <groupId>joda-time</groupId>
            <artifactId>joda-time</artifactId>
            <version>2.10.14</version>
        </dependency>
        <dependency>
            <groupId>com.google.code.gson</groupId>
            <artifactId>gson</artifactId>
            <version>2.8.9</version>
        </dependency>
        <dependency>
            <groupId>org.jetbrains.kotlin</groupId>
            <artifactId>kotlin-stdlib</artifactId>
            <version>${kotlin.version}</version>
        </dependency>
        <dependency>
            <groupId>org.jetbrains.kotlin</groupId>
            <artifactId>kotlin-reflect</artifactId>
            <version>${kotlin.version}</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.module</groupId>
            <artifactId>jackson-module-kotlin</artifactId>
            <version>2.13.3</version>
        </dependency>
        <dependency>
            <groupId>org.jetbrains.kotlin</groupId>
            <artifactId>kotlin-maven-allopen</artifactId>
            <version>${kotlin.version}</version>
        </dependency>
        <dependency>
            <groupId>io.mockk</groupId>
            <artifactId>mockk</artifactId>
            <version>${io.mockk.version}</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter-engine</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter-api</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.apache.kafka</groupId>
            <artifactId>kafka-streams</artifactId>
            <version>6.2.0-ccs</version>
        </dependency>
        <dependency>
            <groupId>org.apache.kafka</groupId>
            <artifactId>kafka-clients</artifactId>
            <version>6.2.0-ccs</version>
        </dependency>
        <dependency>
            <groupId>io.confluent</groupId>
            <artifactId>kafka-json-serializer</artifactId>
            <version>6.2.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.kafka</groupId>
            <artifactId>kafka-streams-test-utils</artifactId>
            <version>6.2.0-ccs</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>io.opentracing.contrib</groupId>
            <artifactId>opentracing-spring-cloud-starter</artifactId>
            <version>0.5.9</version>
        </dependency>
        <dependency>
            <groupId>io.opentracing.contrib</groupId>
            <artifactId>opentracing-spring-jaeger-cloud-starter</artifactId>
            <version>3.3.1</version>
        </dependency>

        <!-- Feign dependencies -->
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-openfeign</artifactId>
            <!--<version>${openfeign.version}</version>-->
        </dependency>

        <!-- Easy random dependencies -->
        <dependency>
            <groupId>org.jeasy</groupId>
            <artifactId>easy-random-core</artifactId>
            <version>${easy-random-core.version}</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.jeasy</groupId>
            <artifactId>easy-random-randomizers</artifactId>
            <version>${easy-random-core.version}</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
    <build>
        <sourceDirectory>${project.basedir}/src/main/kotlin</sourceDirectory>
        <testSourceDirectory>${project.basedir}/src/test/kotlin</testSourceDirectory>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.sonarsource.scanner.maven</groupId>
                <artifactId>sonar-maven-plugin</artifactId>
                <version>3.6.0.1398</version>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.22.2</version>
                <configuration>
                    <skipTests>false</skipTests>
                    <testFailureIgnore>true</testFailureIgnore>
                    <forkMode>once</forkMode>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.jacoco</groupId>
                <artifactId>jacoco-maven-plugin</artifactId>
                <version>${jacoco.version}</version>
                <executions>
                    <execution>
                        <id>default-prepare-agent</id>
                        <goals>
                            <goal>prepare-agent</goal>
                        </goals>
                    </execution>
                    <execution>
                        <id>default-report</id>
                        <phase>test</phase>
                        <goals>
                            <goal>report</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <artifactId>kotlin-maven-plugin</artifactId>
                <groupId>org.jetbrains.kotlin</groupId>
                <version>${kotlin.version}</version>
                <configuration>
                    <compilerPlugins>
                        <plugin>spring</plugin>
                    </compilerPlugins>
                    <jvmTarget>11</jvmTarget>
                    <languageVersion>1.5</languageVersion>
                </configuration>
                <executions>
                    <execution>
                        <id>compile</id>
                        <phase>compile</phase>
                        <goals>
                            <goal>compile</goal>
                        </goals>
                    </execution>
                    <execution>
                        <id>test-compile</id>
                        <phase>test-compile</phase>
                        <goals>
                            <goal>test-compile</goal>
                        </goals>
                    </execution>
                </executions>
                <dependencies>
                    <dependency>
                        <groupId>org.jetbrains.kotlin</groupId>
                        <artifactId>kotlin-maven-allopen</artifactId>
                        <version>${kotlin.version}</version>
                    </dependency>
                </dependencies>
            </plugin>
        </plugins>
    </build>
</project>

@tgerla tgerla mentioned this issue Oct 6, 2022
Closed
@benken-parasoft
Copy link

Related to this, Syft generates a malformed "purl" which does not parse as a URI. I believe the dollar # these version strings are not being uri/percent-encoded when generating the "purl" string.

@spiffcs spiffcs moved this to Parking Lot (Comments or Progress) in OSS Oct 13, 2022
@cjnosal cjnosal mentioned this issue Oct 28, 2022
Closed
@khan-a1
Copy link

khan-a1 commented Feb 5, 2023
edited
Loading

Hi team, any update on this? I am getting empty version numbers for all my pom.xml dependencies (even the ones specifying a version number directly.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

  <modelVersion>4.0.0</modelVersion>

  <parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.7.1</version>
  </parent>
  <groupId>org.owasp.webgoat</groupId>
  <artifactId>webgoat</artifactId>
  <version>2023.3</version>
  <packaging>jar</packaging>

  <name>WebGoat</name>
  <description>WebGoat, a deliberately insecure Web Application</description>
  <url>https://github.com/WebGoat/WebGoat</url>
  <inceptionYear>2006</inceptionYear>
  <organization>
    <name>OWASP</name>
    <url>https://github.com/WebGoat/WebGoat/</url>
  </organization>
  <licenses>
    <license>
      <name>GNU General Public License, version 2</name>
      <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
    </license>
  </licenses>
  <developers>
    <developer>
      <id>mayhew64</id>
      <name>Bruce Mayhew</name>
      <email>webgoat@owasp.org</email>
      <organization>OWASP</organization>
      <organizationUrl>https://github.com/WebGoat/WebGoat</organizationUrl>
    </developer>
    <developer>
      <id>nbaars</id>
      <name>Nanne Baars</name>
      <email>nanne.baars@owasp.org</email>
      <organizationUrl>https://github.com/nbaars</organizationUrl>
      <timezone>Europe/Amsterdam</timezone>
    </developer>
    <developer>
      <id>misfir3</id>
      <name>Jason White</name>
      <email>jason.white@owasp.org</email>
    </developer>
    <developer>
      <id>zubcevic</id>
      <name>René Zubcevic</name>
      <email>rene.zubcevic@owasp.org</email>
    </developer>
    <developer>
      <id>aolle</id>
      <name>Àngel Ollé Blázquez</name>
      <email>angel@olleb.com</email>
    </developer>
    <developer>
      <id>jwayman</id>
      <name>Jeff Wayman</name>
      <email></email>
    </developer>
    <developer>
      <id>dcowden</id>
      <name>Dave Cowden</name>
      <email></email>
    </developer>
    <developer>
      <id>lawson89</id>
      <name>Richard Lawson</name>
      <email></email>
    </developer>
    <developer>
      <id>dougmorato</id>
      <name>Doug Morato</name>
      <email>doug.morato@owasp.org</email>
      <organization>OWASP</organization>
      <organizationUrl>https://github.com/dougmorato</organizationUrl>
      <timezone>America/New_York</timezone>
      <properties>
        <picUrl>https://avatars2.githubusercontent.com/u/9654?v=3&amp;s=150</picUrl>
      </properties>
    </developer>
  </developers>

  <mailingLists>
    <mailingList>
      <name>OWASP WebGoat Mailing List</name>
      <subscribe>https://lists.owasp.org/mailman/listinfo/owasp-webgoat</subscribe>
      <unsubscribe>Owasp-webgoat-request@lists.owasp.org</unsubscribe>
      <post>owasp-webgoat@lists.owasp.org</post>
      <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
    </mailingList>
  </mailingLists>

  <scm>
    <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
    <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
    <tag>HEAD</tag>
    <url>https://github.com/WebGoat/WebGoat</url>
  </scm>

  <issueManagement>
    <system>Github Issues</system>
    <url>https://github.com/WebGoat/WebGoat/issues</url>
  </issueManagement>

  <properties>

    <!-- Shared properties with plugins and version numbers across submodules-->
    <asciidoctorj.version>2.5.3</asciidoctorj.version>
    <bootstrap.version>3.3.7</bootstrap.version>
    <cglib.version>2.2</cglib.version>
    <!-- do not update necessary for lesson -->
    <checkstyle.version>3.1.2</checkstyle.version>
    <commons-collections.version>3.2.1</commons-collections.version>
    <commons-io.version>2.6</commons-io.version>
    <commons-lang3.version>3.12.0</commons-lang3.version>
    <commons-text.version>1.9</commons-text.version>
    <guava.version>30.1-jre</guava.version>
    <java.version>17</java.version>
    <jjwt.version>0.9.1</jjwt.version>
    <jose4j.version>0.7.6</jose4j.version>
    <jquery.version>3.5.1</jquery.version>
    <jsoup.version>1.14.3</jsoup.version>
    <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
    <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
    <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
    <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
    <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
    <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
    <maven.compiler.source>17</maven.compiler.source>
    <maven.compiler.target>17</maven.compiler.target>
    <pmd.version>3.15.0</pmd.version>
    <!-- Use UTF-8 Encoding -->
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
    <webdriver.version>4.3.1</webdriver.version>
    <webgoat.port>8080</webgoat.port>
    <webwolf.port>9090</webwolf.port>
    <wiremock.version>2.27.2</wiremock.version>
    <xml-resolver.version>1.2</xml-resolver.version>
    <xstream.version>1.4.5</xstream.version>
    <!-- do not update necessary for lesson -->
    <zxcvbn.version>1.5.2</zxcvbn.version>
  </properties>

  <dependencyManagement>
    <dependencies>

      <dependency>
        <groupId>org.ow2.asm</groupId>
        <artifactId>asm</artifactId>
        <version>9.1</version>
      </dependency>

      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-exec</artifactId>
        <version>1.3</version>
      </dependency>
      <dependency>
        <groupId>org.asciidoctor</groupId>
        <artifactId>asciidoctorj</artifactId>
        <version>${asciidoctorj.version}</version>
      </dependency>
      <dependency>
        <!-- jsoup HTML parser library @ https://jsoup.org/ -->
        <groupId>org.jsoup</groupId>
        <artifactId>jsoup</artifactId>
        <version>${jsoup.version}</version>
      </dependency>
      <dependency>
        <groupId>com.nulab-inc</groupId>
        <artifactId>zxcvbn</artifactId>
        <version>${zxcvbn.version}</version>
      </dependency>
      <dependency>
        <groupId>com.thoughtworks.xstream</groupId>
        <artifactId>xstream</artifactId>
        <version>${xstream.version}</version>
      </dependency>
      <dependency>
        <groupId>cglib</groupId>
        <artifactId>cglib-nodep</artifactId>
        <version>${cglib.version}</version>
      </dependency>
      <dependency>
        <groupId>xml-resolver</groupId>
        <artifactId>xml-resolver</artifactId>
        <version>${xml-resolver.version}</version>
      </dependency>
      <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>${jjwt.version}</version>
      </dependency>
      <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>${guava.version}</version>
      </dependency>
      <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
        <version>${commons-io.version}</version>
      </dependency>
      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-text</artifactId>
        <version>${commons-text.version}</version>
      </dependency>
      <dependency>
        <groupId>org.bitbucket.b_c</groupId>
        <artifactId>jose4j</artifactId>
        <version>${jose4j.version}</version>
      </dependency>
      <dependency>
        <groupId>org.webjars</groupId>
        <artifactId>bootstrap</artifactId>
        <version>${bootstrap.version}</version>
      </dependency>
      <dependency>
        <groupId>org.webjars</groupId>
        <artifactId>jquery</artifactId>
        <version>${jquery.version}</version>
      </dependency>
      <dependency>
        <groupId>com.github.tomakehurst</groupId>
        <artifactId>wiremock</artifactId>
        <version>${wiremock.version}</version>
      </dependency>
      <dependency>
        <groupId>io.github.bonigarcia</groupId>
        <artifactId>webdrivermanager</artifactId>
        <version>${webdriver.version}</version>
      </dependency>
      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-compress</artifactId>
        <version>1.21</version>
      </dependency>
      <dependency>
        <groupId>org.jruby</groupId>
        <artifactId>jruby</artifactId>
        <version>9.3.6.0</version>
      </dependency>
    </dependencies>
  </dependencyManagement>

  <dependencies>
    <dependency>
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-exec</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-validation</artifactId>
    </dependency>
    <dependency>
      <groupId>org.projectlombok</groupId>
      <artifactId>lombok</artifactId>
      <scope>provided</scope>
      <optional>true</optional>
    </dependency>
    <dependency>
      <groupId>javax.xml.bind</groupId>
      <artifactId>jaxb-api</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-undertow</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
      <exclusions>
        <exclusion>
          <groupId>org.springframework.boot</groupId>
          <artifactId>spring-boot-starter-tomcat</artifactId>
        </exclusion>
      </exclusions>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <dependency>
      <groupId>org.flywaydb</groupId>
      <artifactId>flyway-core</artifactId>
    </dependency>
    <dependency>
      <groupId>org.asciidoctor</groupId>
      <artifactId>asciidoctorj</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
      <groupId>org.thymeleaf.extras</groupId>
      <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    </dependency>
    <dependency>
      <groupId>org.hsqldb</groupId>
      <artifactId>hsqldb</artifactId>
    </dependency>
    <dependency>
      <groupId>org.jsoup</groupId>
      <artifactId>jsoup</artifactId>
    </dependency>
    <dependency>
      <groupId>com.nulab-inc</groupId>
      <artifactId>zxcvbn</artifactId>
    </dependency>
    <dependency>
      <groupId>com.thoughtworks.xstream</groupId>
      <artifactId>xstream</artifactId>
    </dependency>
    <dependency>
      <groupId>cglib</groupId>
      <artifactId>cglib-nodep</artifactId>
    </dependency>
    <dependency>
      <groupId>xml-resolver</groupId>
      <artifactId>xml-resolver</artifactId>
    </dependency>
    <dependency>
      <groupId>io.jsonwebtoken</groupId>
      <artifactId>jjwt</artifactId>
    </dependency>
    <dependency>
      <groupId>com.google.guava</groupId>
      <artifactId>guava</artifactId>
    </dependency>
    <dependency>
      <groupId>commons-io</groupId>
      <artifactId>commons-io</artifactId>
    </dependency>
    <dependency>
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-lang3</artifactId>
    </dependency>
    <dependency>
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-text</artifactId>
    </dependency>
    <dependency>
      <groupId>org.bitbucket.b_c</groupId>
      <artifactId>jose4j</artifactId>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>bootstrap</artifactId>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>jquery</artifactId>
    </dependency>
    <dependency>
      <groupId>org.glassfish.jaxb</groupId>
      <artifactId>jaxb-runtime</artifactId>
    </dependency>

    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-test</artifactId>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-test</artifactId>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>com.github.tomakehurst</groupId>
      <artifactId>wiremock</artifactId>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>io.rest-assured</groupId>
      <artifactId>rest-assured</artifactId>
      <scope>test</scope>
    </dependency>
  </dependencies>

  <repositories>
    <repository>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
      <id>central</id>
      <url>https://repo.maven.apache.org/maven2</url>
    </repository>
  </repositories>
  <pluginRepositories>
    <pluginRepository>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
      <id>central</id>
      <url>https://repo.maven.apache.org/maven2</url>
    </pluginRepository>
  </pluginRepositories>

  <build>
    <plugins>
      <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
        <configuration>
          <excludeDevtools>true</excludeDevtools>
          <executable>true</executable>
          <mainClass>org.owasp.webgoat.server.StartWebGoat</mainClass>
          <!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
          <requiresUnpack>
            <dependency>
              <groupId>org.asciidoctor</groupId>
              <artifactId>asciidoctorj</artifactId>
            </dependency>
          </requiresUnpack>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>repackage</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>build-helper-maven-plugin</artifactId>
        <executions>
          <execution>
            <id>add-integration-test-source-as-test-sources</id>
            <goals>
              <goal>add-test-source</goal>
            </goals>
            <phase>generate-test-sources</phase>
            <configuration>
              <sources>
                <source>src/it/java</source>
              </sources>
            </configuration>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-failsafe-plugin</artifactId>
        <configuration>
          <systemPropertyVariables>
            <logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
          </systemPropertyVariables>
          <argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port}</argLine>
          <includes>org/owasp/webgoat/*Test</includes>
        </configuration>
        <executions>
          <execution>
            <id>integration-test</id>
            <goals>
              <goal>integration-test</goal>
            </goals>
          </execution>
          <execution>
            <id>verify</id>
            <goals>
              <goal>verify</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-surefire-plugin</artifactId>
        <version>${maven-surefire-plugin.version}</version>
        <configuration>
          <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
                        --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
                        --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
                        --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
          <excludes>
            <exclude>**/*IntegrationTest.java</exclude>
            <exclude>src/it/java</exclude>
            <exclude>org/owasp/webgoat/*Test</exclude>
          </excludes>
        </configuration>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-checkstyle-plugin</artifactId>
        <version>${checkstyle.version}</version>
        <configuration>
          <encoding>UTF-8</encoding>
          <consoleOutput>true</consoleOutput>
          <failsOnError>true</failsOnError>
          <configLocation>config/checkstyle/checkstyle.xml</configLocation>
          <suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
          <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
        </configuration>
      </plugin>
      <plugin>
        <groupId>com.diffplug.spotless</groupId>
        <artifactId>spotless-maven-plugin</artifactId>
        <version>2.29.0</version>
        <configuration>
          <formats>
            <format>
              <includes>
                <include>.gitignore</include>
              </includes>
              <trimTrailingWhitespace></trimTrailingWhitespace>
              <endWithNewline></endWithNewline>
              <indent>
                <tabs>true</tabs>
                <spacesPerTab>4</spacesPerTab>
              </indent>
            </format>
          </formats>
          <markdown>
            <includes>
              <include>**/*.md</include>
            </includes>
            <flexmark></flexmark>
          </markdown>
          <java>
            <removeUnusedImports></removeUnusedImports>
            <googleJavaFormat>
              <style>GOOGLE</style>
              <reflowLongStrings>true</reflowLongStrings>
            </googleJavaFormat>
          </java>
          <pom>
            <sortPom>
              <encoding>UTF-8</encoding>
              <lineSeparator>${line.separator}</lineSeparator>
              <expandEmptyElements>true</expandEmptyElements>
              <spaceBeforeCloseEmptyElement>false</spaceBeforeCloseEmptyElement>
              <keepBlankLines>true</keepBlankLines>
              <nrOfIndentSpace>2</nrOfIndentSpace>
              <indentBlankLines>false</indentBlankLines>
              <indentSchemaLocation>false</indentSchemaLocation>
              <predefinedSortOrder>recommended_2008_06</predefinedSortOrder>
              <sortProperties>true</sortProperties>
              <sortModules>true</sortModules>
              <sortExecutions>true</sortExecutions>
            </sortPom>
          </pom>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>check</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <version>3.0.0</version>
        <executions>
          <execution>
            <id>restrict-log4j-versions</id>
            <goals>
              <goal>enforce</goal>
            </goals>
            <phase>validate</phase>
            <configuration>
              <rules>
                <bannedDependencies>
                  <excludes combine.children="append">
                    <exclude>org.apache.logging.log4j:log4j-core</exclude>
                  </excludes>
                </bannedDependencies>
              </rules>
              <fail>true</fail>
            </configuration>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-compiler-plugin</artifactId>
        <configuration>
          <source>17</source>
          <target>17</target>
        </configuration>
      </plugin>
    </plugins>
  </build>

  <profiles>
    <profile>
      <id>local-server</id>
    </profile>
    <profile>
      <id>start-server</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <build>
        <plugins>
          <plugin>
            <groupId>org.codehaus.mojo</groupId>
            <artifactId>build-helper-maven-plugin</artifactId>
            <executions>
              <execution>
                <id>reserve-container-port</id>
                <goals>
                  <goal>reserve-network-port</goal>
                </goals>
                <phase>process-resources</phase>
                <configuration>
                  <portNames>
                    <portName>webgoat.port</portName>
                    <portName>webwolf.port</portName>
                    <portName>jmxPort</portName>
                  </portNames>
                </configuration>
              </execution>
            </executions>
          </plugin>
          <plugin>
            <groupId>com.bazaarvoice.maven.plugins</groupId>
            <artifactId>process-exec-maven-plugin</artifactId>
            <version>0.9</version>
            <executions>
              <execution>
                <id>start-jar</id>
                <goals>
                  <goal>start</goal>
                </goals>
                <phase>pre-integration-test</phase>
                <configuration>
                  <workingDir>${project.build.directory}</workingDir>
                  <arguments>
                    <argument>java</argument>
                    <argument>-jar</argument>
                    <argument>-Dlogging.pattern.console=</argument>
                    <argument>-Dspring.main.banner-mode=off</argument>
                    <argument>-Dspring.datasource.url=jdbc:hsqldb:file:${java.io.tmpdir}/webgoat</argument>
                    <argument>-Dwebgoat.port=${webgoat.port}</argument>
                    <argument>-Dwebwolf.port=${webwolf.port}</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/java.lang=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/java.util=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/java.lang.reflect=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/java.text=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.desktop/java.beans=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.desktop/java.awt.font=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/java.io=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/java.util=ALL-UNNAMED</argument>
                    <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
                  </arguments>
                  <waitForInterrupt>false</waitForInterrupt>
                  <healthcheckUrl>http://localhost:${webgoat.port}/WebGoat/</healthcheckUrl>
                </configuration>
              </execution>
              <execution>
                <id>stop-jar-process</id>
                <goals>
                  <goal>stop-all</goal>
                </goals>
                <phase>post-integration-test</phase>
              </execution>
            </executions>
          </plugin>
        </plugins>
      </build>
    </profile>
    <profile>
      <id>owasp</id>
      <activation>
        <activeByDefault>false</activeByDefault>
      </activation>
      <build>
        <plugins>
          <plugin>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <version>6.5.1</version>
            <configuration>
              <failBuildOnCVSS>7</failBuildOnCVSS>
              <skipProvidedScope>false</skipProvidedScope>
              <skipRuntimeScope>false</skipRuntimeScope>
              <suppressionFiles>
                <!--suppress UnresolvedMavenProperty -->
                <suppressionFile>${maven.multiModuleProjectDirectory}/config/dependency-check/project-suppression.xml</suppressionFile>
              </suppressionFiles>
            </configuration>
            <executions>
              <execution>
                <goals>
                  <goal>check</goal>
                </goals>
              </execution>
            </executions>
          </plugin>
        </plugins>
      </build>
    </profile>
  </profiles>

</project>

Here is the packages command output:

syft packages file:pom.xml
 ✔ Indexed pom.xml         
 ✔ Cataloged packages      [32 packages]

NAME                              VERSION  TYPE         
asciidoctorj                               java-archive  
bootstrap                                  java-archive  
cglib-nodep                                java-archive  
commons-exec                               java-archive  
commons-io                                 java-archive  
commons-lang3                              java-archive  
commons-text                               java-archive  
flyway-core                                java-archive  
guava                                      java-archive  
hsqldb                                     java-archive  
jaxb-api                                   java-archive  
jaxb-runtime                               java-archive  
jjwt                                       java-archive  
jose4j                                     java-archive  
jquery                                     java-archive  
jsoup                                      java-archive  
lombok                                     java-archive  
rest-assured                               java-archive  
spring-boot-starter-actuator               java-archive  
spring-boot-starter-data-jpa               java-archive  
spring-boot-starter-security               java-archive  
spring-boot-starter-test                   java-archive  
spring-boot-starter-thymeleaf              java-archive  
spring-boot-starter-undertow               java-archive  
spring-boot-starter-validation             java-archive  
spring-boot-starter-web                    java-archive  
spring-security-test                       java-archive  
thymeleaf-extras-springsecurity5           java-archive  
wiremock                                   java-archive  
xml-resolver                               java-archive  
xstream                                    java-archive  
zxcvbn                                     java-archive

Using Sift version: syft 0.69.1

@willyw0nka
Copy link
Author

Related to #1251

@setchy
Copy link

setchy commented Jun 30, 2023

maven version properties are now supported via #1251.

But looks like parent versions are still unsupported (eg: the spring-boot-starter-parent) example shared above. Is that correct?

@kzantow
Copy link
Contributor

kzantow commented Jun 30, 2023

@setchy this is correct -- also currently the versions specified in dependencyManagement are not honored.

@kzantow
Copy link
Contributor

kzantow commented Jun 30, 2023

@khan-a1 -- given the POM you provided, I don't see any versions specified directly but rather specified in the dependencyManagement section, which as noted above isn't currently being used. We definitely should be using this if it's present in the same POM. PRs are always welcome here! :)

@kzantow kzantow moved this from Awaiting Response to Backlog in OSS Jun 30, 2023
@kzantow
Copy link
Contributor

kzantow commented Jun 30, 2023

I've added this to our backlog, but can't say when it will bubble up to the top

@kzantow kzantow mentioned this issue Jan 18, 2024
Open
@GijsCalis GijsCalis mentioned this issue Feb 24, 2024
Open
@GijsCalis GijsCalis mentioned this issue Apr 11, 2024
Merged
@kzantow
Copy link
Contributor

kzantow commented Jul 24, 2024

This PR should be fixed by #2769

@kzantow kzantow self-assigned this Jul 24, 2024
@kzantow kzantow moved this from Backlog to In Review in OSS Jul 24, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Aug 5, 2024
@BrewTestBot BrewTestBot mentioned this issue Aug 9, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
7 participants
@setchy @wagoodman @bsoroushian @kzantow @benken-parasoft @willyw0nka @khan-a1