Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix(java): use go-mvn-version to remove Package duplicates #7088

Merged
merged 7 commits into from
Jul 4, 2024
Merged

fix(java): use go-mvn-version to remove Package duplicates #7088

merged 7 commits into from
Jul 4, 2024

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Jul 3, 2024
edited
Loading

Description

We remove duplicates of packages.
But there are cases when Packages uses same version, but one of package omits 0 patch version (e.g. 2.17.0 and 2.17).

Using go-mvn-version to compare version solves this problem.

before:

➜ trivy -q image apachepulsar/pulsar:3.3.0 --format cyclonedx | grep '"purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core'
      "purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core@2.41",
      "purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core@2.41.0",

after:

➜ trivy -q image apachepulsar/pulsar:3.3.0 --format cyclonedx | grep '"purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core'
      "purl": "pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core@2.41",

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Jul 3, 2024
@DmitriyLewen DmitriyLewen marked this pull request as ready for review July 3, 2024 09:42
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner July 3, 2024 09:42
@knqyf263 knqyf263 added this pull request to the merge queue Jul 4, 2024
Merged via the queue into aquasecurity:main with commit a7a304d Jul 4, 2024
12 checks passed
@aqua-bot aqua-bot mentioned this pull request Jul 4, 2024
Merged
@DmitriyLewen DmitriyLewen deleted the fix-java/use-comparator-for-versions branch July 8, 2024 04:34
skahn007gl pushed a commit to skahn007gl/trivy that referenced this pull request Jul 23, 2024
@DmitriyLewen @knqyf263 @skahn007gl
fix(java): use go-mvn-version to remove Package duplicates (aquas…
0d6330e 
…ecurity#7088)

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@DmitriyLewen @knqyf263