search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
5.98k stars 551 forks source link

Support Maven multi-level configuration file / parent POM #2017

Closed sekveaja closed 1 month ago

sekveaja commented 1 year ago

What happened: Running Grype to a local development directory. Variable not interpreting correctly in multiple level configuration file. See the following example with ${version.h2.database} variable,

$ grype ./My_project : guava 15.0 24.1.1 java-archive GHSA-mvr2-9pj6-7w5j Medium guava 15.0 32.0.0 java-archive GHSA-7g45-4rm6-3mm3 Medium h2 ${version.h2.database} java-archive CVE-2022-45868 High h2 ${version.h2.database} 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical h2 ${version.h2.database} 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High :

What you expected to happen: Every variable should be replaced with a value.

h2 1.4.200 java-archive CVE-2022-45868 High h2 1.4.200 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical h2 1.4.200 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High

How to reproduce it (as minimally and precisely as possible):

Propertie name and value is defined in top/parent level pom.xml 

<properties>
     :
    <version.h2.database>1.4.200</version.h2.database>
     :
</properties>

Application level define their dependency in pom,xml using variable in Top level pom.xml

<dependencies>
             :
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <version>${version.h2.database}</version>
        <scope>test</scope>
    </dependency>
               :

Environment:

Application: grype Version: 0.62.3 Syft Version: v0.83.0 BuildDate: 2023-06-06T00:36:27Z GitCommit: 3865f4cc1dfcdcefbb7009400df153f24b18c772 GitDescription: v0.62.3 Platform: linux/amd64 GoVersion: go1.18.1 Compiler: gc Supported DB Schema: 5

kzantow commented 1 year ago

Thanks for the report @sekveaja. I've moved this to the Syft repository, as this is where changes would be made for parent pom support. This is related to: https://github.com/anchore/syft/issues/1813. Currently, Syft does not support reading external pom files (e.g. the parent pom), which is why you are seeing this behavior. We are definitely interested in enhancing maven support and have a number of ideas how to improve this.

oxeye-daniel commented 8 months ago

Hey team, any update on this one?

nickolashkraus commented 6 months ago

I am also interested in this feature. Here is a small example:

I have a multi-module project with a pom.xml and app/pom.xml:

.
├── app
│   └── pom.xml
└── pom.xml

The pom.xml defines the following:

<project>
    <properties>
        <some.dependency.version>x.y.z</some.dependency.version>
    </properties>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>my.dependency</groupId>
                <artifactId>some-dependency</artifactId>
                <version>${some.dependency.version}</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
</project>

The app/pom.xml defines the following:

<project>
    <parent>
        <relativePath>../pom.xml</relativePath>
    </parent>
    <dependencies>
        <dependency>
            <groupId>my.dependency</groupId>
            <artifactId>some-dependency</artifactId>
        </dependency>
    </dependencies>
</project>

Currently, Syft will not be able to resolve the version for the dependency specified in app/pom.xml, since it is set in the parent POM (pom.xml).

Related:

kzantow commented 1 month ago

This PR should be fixed by #2769