Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support Maven multi-level configuration file / parent POM #2017

Closed
sekveaja opened this issue Aug 11, 2023 · 4 comments · Fixed by #2769 · May be fixed by #2669
Closed

Support Maven multi-level configuration file / parent POM #2017

sekveaja opened this issue Aug 11, 2023 · 4 comments · Fixed by #2769 · May be fixed by #2669
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@sekveaja
Copy link

What happened:
Running Grype to a local development directory.
Variable not interpreting correctly in multiple level configuration file.
See the following example with ${version.h2.database} variable,

$ grype ./My_project
:
guava 15.0 24.1.1 java-archive GHSA-mvr2-9pj6-7w5j Medium
guava 15.0 32.0.0 java-archive GHSA-7g45-4rm6-3mm3 Medium
h2 ${version.h2.database} java-archive CVE-2022-45868 High
h2 ${version.h2.database} 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical
h2 ${version.h2.database} 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High
:

What you expected to happen:
Every variable should be replaced with a value.

h2 1.4.200 java-archive CVE-2022-45868 High
h2 1.4.200 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical
h2 1.4.200 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High

How to reproduce it (as minimally and precisely as possible):

Propertie name and value is defined in top/parent level pom.xml

<properties>
     :
    <version.h2.database>1.4.200</version.h2.database>
     :
</properties>

Application level define their dependency in pom,xml using variable in Top level pom.xml

<dependencies>
             :
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <version>${version.h2.database}</version>
        <scope>test</scope>
    </dependency>
               :

Environment:

Application: grype
Version: 0.62.3
Syft Version: v0.83.0
BuildDate: 2023-06-06T00:36:27Z
GitCommit: 3865f4cc1dfcdcefbb7009400df153f24b18c772
GitDescription: v0.62.3
Platform: linux/amd64
GoVersion: go1.18.1
Compiler: gc
Supported DB Schema: 5
@sekveaja sekveaja added the bug Something isn't working label Aug 11, 2023
@sekveaja sekveaja changed the title Variable not interpreting Variable not interpreting in multi-level configuration file Aug 11, 2023
@kzantow kzantow transferred this issue from anchore/grype Aug 11, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 11, 2023

Thanks for the report @sekveaja. I've moved this to the Syft repository, as this is where changes would be made for parent pom support. This is related to: #1813. Currently, Syft does not support reading external pom files (e.g. the parent pom), which is why you are seeing this behavior. We are definitely interested in enhancing maven support and have a number of ideas how to improve this.

@kzantow kzantow changed the title Variable not interpreting in multi-level configuration file Support Maven multi-level configuration file / parent POM Aug 11, 2023
@kzantow kzantow moved this to Backlog in OSS Aug 11, 2023
@oxeye-daniel
Copy link

Hey team, any update on this one?

@kzantow kzantow mentioned this issue Jan 18, 2024
Open
@nickolashkraus
Copy link

I am also interested in this feature. Here is a small example:

I have a multi-module project with a pom.xml and app/pom.xml:

.
├── app
│   └── pom.xml
└── pom.xml

The pom.xml defines the following:

<project>
    <properties>
        <some.dependency.version>x.y.z</some.dependency.version>
    </properties>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>my.dependency</groupId>
                <artifactId>some-dependency</artifactId>
                <version>${some.dependency.version}</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
</project>

The app/pom.xml defines the following:

<project>
    <parent>
        <relativePath>../pom.xml</relativePath>
    </parent>
    <dependencies>
        <dependency>
            <groupId>my.dependency</groupId>
            <artifactId>some-dependency</artifactId>
        </dependency>
    </dependencies>
</project>

Currently, Syft will not be able to resolve the version for the dependency specified in app/pom.xml, since it is set in the parent POM (pom.xml).

Related:

@GijsCalis GijsCalis mentioned this issue Feb 24, 2024
Open
@GijsCalis GijsCalis mentioned this issue Apr 11, 2024
Merged
@kzantow kzantow moved this from Backlog to In Review in OSS Jul 24, 2024
@kzantow kzantow self-assigned this Jul 24, 2024
@kzantow
Copy link
Contributor

kzantow commented Jul 24, 2024

This PR should be fixed by #2769

@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Aug 5, 2024
@BrewTestBot BrewTestBot mentioned this issue Aug 9, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
4 participants
@kzantow @nickolashkraus @sekveaja @oxeye-daniel