Closed sekveaja closed 1 month ago
Thanks for the report @sekveaja. I've moved this to the Syft repository, as this is where changes would be made for parent pom support. This is related to: https://github.com/anchore/syft/issues/1813. Currently, Syft does not support reading external pom files (e.g. the parent pom), which is why you are seeing this behavior. We are definitely interested in enhancing maven support and have a number of ideas how to improve this.
Hey team, any update on this one?
I am also interested in this feature. Here is a small example:
I have a multi-module project with a pom.xml
and app/pom.xml
:
.
├── app
│ └── pom.xml
└── pom.xml
The pom.xml
defines the following:
<project>
<properties>
<some.dependency.version>x.y.z</some.dependency.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>my.dependency</groupId>
<artifactId>some-dependency</artifactId>
<version>${some.dependency.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
The app/pom.xml
defines the following:
<project>
<parent>
<relativePath>../pom.xml</relativePath>
</parent>
<dependencies>
<dependency>
<groupId>my.dependency</groupId>
<artifactId>some-dependency</artifactId>
</dependency>
</dependencies>
</project>
Currently, Syft will not be able to resolve the version for the dependency specified in app/pom.xml
, since it is set in the parent POM (pom.xml
).
Related:
This PR should be fixed by #2769
What happened: Running Grype to a local development directory. Variable not interpreting correctly in multiple level configuration file. See the following example with ${version.h2.database} variable,
$ grype ./My_project : guava 15.0 24.1.1 java-archive GHSA-mvr2-9pj6-7w5j Medium guava 15.0 32.0.0 java-archive GHSA-7g45-4rm6-3mm3 Medium h2 ${version.h2.database} java-archive CVE-2022-45868 High h2 ${version.h2.database} 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical h2 ${version.h2.database} 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High :
What you expected to happen: Every variable should be replaced with a value.
h2 1.4.200 java-archive CVE-2022-45868 High h2 1.4.200 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical h2 1.4.200 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High
How to reproduce it (as minimally and precisely as possible):
Propertie name and value is defined in top/parent level pom.xml
Application level define their dependency in pom,xml using variable in Top level pom.xml
Environment:
Application: grype Version: 0.62.3 Syft Version: v0.83.0 BuildDate: 2023-06-06T00:36:27Z GitCommit: 3865f4cc1dfcdcefbb7009400df153f24b18c772 GitDescription: v0.62.3 Platform: linux/amd64 GoVersion: go1.18.1 Compiler: gc Supported DB Schema: 5