Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Maven multi-level configuration file / parent POM #2017

Closed
sekveaja opened this issue Aug 11, 2023 · 4 comments · Fixed by #2769 · May be fixed by #2669
Closed

Support Maven multi-level configuration file / parent POM #2017

sekveaja opened this issue Aug 11, 2023 · 4 comments · Fixed by #2769 · May be fixed by #2669
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@sekveaja
Copy link

What happened:
Running Grype to a local development directory.
Variable not interpreting correctly in multiple level configuration file.
See the following example with ${version.h2.database} variable,

$ grype ./My_project
:
guava 15.0 24.1.1 java-archive GHSA-mvr2-9pj6-7w5j Medium
guava 15.0 32.0.0 java-archive GHSA-7g45-4rm6-3mm3 Medium
h2 ${version.h2.database} java-archive CVE-2022-45868 High
h2 ${version.h2.database} 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical
h2 ${version.h2.database} 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High
:

What you expected to happen:
Every variable should be replaced with a value.

h2 1.4.200 java-archive CVE-2022-45868 High
h2 1.4.200 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical
h2 1.4.200 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High

How to reproduce it (as minimally and precisely as possible):

Propertie name and value is defined in top/parent level pom.xml

<properties>
     :
    <version.h2.database>1.4.200</version.h2.database>
     :
</properties>

Application level define their dependency in pom,xml using variable in Top level pom.xml

<dependencies>
             :
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <version>${version.h2.database}</version>
        <scope>test</scope>
    </dependency>
               :

Environment:

Application: grype
Version: 0.62.3
Syft Version: v0.83.0
BuildDate: 2023-06-06T00:36:27Z
GitCommit: 3865f4cc1dfcdcefbb7009400df153f24b18c772
GitDescription: v0.62.3
Platform: linux/amd64
GoVersion: go1.18.1
Compiler: gc
Supported DB Schema: 5
@sekveaja sekveaja added the bug Something isn't working label Aug 11, 2023
@sekveaja sekveaja changed the title Variable not interpreting Variable not interpreting in multi-level configuration file Aug 11, 2023
@kzantow kzantow transferred this issue from anchore/grype Aug 11, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 11, 2023

Thanks for the report @sekveaja. I've moved this to the Syft repository, as this is where changes would be made for parent pom support. This is related to: #1813. Currently, Syft does not support reading external pom files (e.g. the parent pom), which is why you are seeing this behavior. We are definitely interested in enhancing maven support and have a number of ideas how to improve this.

@kzantow kzantow changed the title Variable not interpreting in multi-level configuration file Support Maven multi-level configuration file / parent POM Aug 11, 2023
@kzantow kzantow moved this to Backlog in OSS Aug 11, 2023
@oxeye-daniel
Copy link

Hey team, any update on this one?

@kzantow kzantow mentioned this issue Jan 18, 2024
Open
@nickolashkraus
Copy link

I am also interested in this feature. Here is a small example:

I have a multi-module project with a pom.xml and app/pom.xml:

.
├── app
│   └── pom.xml
└── pom.xml

The pom.xml defines the following:

<project>
    <properties>
        <some.dependency.version>x.y.z</some.dependency.version>
    </properties>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>my.dependency</groupId>
                <artifactId>some-dependency</artifactId>
                <version>${some.dependency.version}</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
</project>

The app/pom.xml defines the following:

<project>
    <parent>
        <relativePath>../pom.xml</relativePath>
    </parent>
    <dependencies>
        <dependency>
            <groupId>my.dependency</groupId>
            <artifactId>some-dependency</artifactId>
        </dependency>
    </dependencies>
</project>

Currently, Syft will not be able to resolve the version for the dependency specified in app/pom.xml, since it is set in the parent POM (pom.xml).

Related:

@GijsCalis GijsCalis mentioned this issue Feb 24, 2024
Open
@GijsCalis GijsCalis mentioned this issue Apr 11, 2024
Merged
@kzantow kzantow moved this from Backlog to In Review in OSS Jul 24, 2024
@kzantow kzantow self-assigned this Jul 24, 2024
@kzantow
Copy link
Contributor

kzantow commented Jul 24, 2024

This PR should be fixed by #2769

@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Aug 5, 2024
@BrewTestBot BrewTestBot mentioned this issue Aug 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
4 participants
@kzantow @nickolashkraus @sekveaja @oxeye-daniel