Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

DependencyManagement ignored in pom.xml #1813

Closed
cjnosal opened this issue May 11, 2023 · 4 comments · Fixed by #2769 · May be fixed by #2669
Closed

DependencyManagement ignored in pom.xml #1813

cjnosal opened this issue May 11, 2023 · 4 comments · Fixed by #2769 · May be fixed by #2669
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@cjnosal
Copy link

cjnosal commented May 11, 2023

What happened:
Ran a directory scan containing an effective-pom on a spring boot project. Only 4 results (from the top-level <dependencies>) were returned.

What you expected to happen:
All dependencies at the root level and transitive dependencies nested in <dependencyManagement> to be present in syft output

Steps to reproduce the issue:

git clone https://github.com/sample-accelerators/tanzu-java-web-app
cd tanzu-java-web-app
./mvnw help:effective-pom -Doutput results/pom.xml
syft dir:results

Anything else we need to know?:

Environment:

  • Output of syft version: 0.75.0
  • OS (e.g: cat /etc/os-release or similar): ubuntu 20.04.6
@cjnosal cjnosal added the bug Something isn't working label May 11, 2023
@cjnosal
Copy link
Author

cjnosal commented May 11, 2023

For reference:
https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/parse_pom_xml.go#L31
https://github.com/vifraa/gopom/blob/main/gopom.go#L221

@tgerla tgerla added this to OSS May 17, 2023
@tgerla
Copy link
Contributor

tgerla commented Jun 15, 2023

Hi @xtreme-conor-nosal, thanks for filing the issue, we will go ahead and put this in the backlog for a fix when we are able.

@tgerla tgerla moved this to Backlog in OSS Jun 15, 2023
@kzantow
Copy link
Contributor

kzantow commented Jun 15, 2023

Developer notes: there are 2 main issues here:

  1. Syft does not download additional pom.xml information (e.g. parent POMs, transitive dependency POMs)
  2. Syft does not honor the dependencyManagement section

Within the same POM, Syft should still honor dependencyManagement, which essentially are dependency groupId, artifactId, and version, where if a dependency appears in the dependency section without a version, it should be inferred from the dependencyManagement section.

@kzantow kzantow mentioned this issue Aug 11, 2023
Closed
@GijsCalis GijsCalis mentioned this issue Feb 24, 2024
Open
@GijsCalis GijsCalis mentioned this issue Apr 11, 2024
Merged
@kzantow
Copy link
Contributor

kzantow commented Jul 24, 2024

This PR should be fixed by #2769

@kzantow kzantow moved this from Backlog to In Review in OSS Jul 24, 2024
@kzantow kzantow self-assigned this Jul 24, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Aug 5, 2024
@BrewTestBot BrewTestBot mentioned this issue Aug 9, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
3 participants
@tgerla @cjnosal @kzantow