Add a new Java configuration option to recursively search parent poms…

… for licenses

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>

README.md

@@ -610,6 +610,7 @@ java:
    # but it is not accessible from within the final built artifact
    search-maven-for-licenses: false
    maven-url: "https://repo1.maven.org/maven2"
+   max-parent-recursive-depth: 5
 
 linux-kernel:
    # whether to catalog linux kernel modules found within lib/modules/** directories

cmd/syft/cli/options/catalog.go

@@ -141,7 +141,8 @@ func (cfg Catalog) ToCatalogerConfig() cataloger.Config {
 		},
 		Java: javaCataloger.DefaultCatalogerOpts().
 			WithSearchMavenForLicenses(cfg.Java.SearchMavenForLicenses).
-			WithMavenCentralURL(cfg.Java.MavenURL),
+			WithMavenCentralURL(cfg.Java.MavenURL).
+			WithMaxParentRecursiveDepth(cfg.Java.MaxParentRecursiveDepth),
 		Python: pythonCataloger.CatalogerConfig{
 			GuessUnpinnedRequirements: cfg.Python.GuessUnpinnedRequirements,
 		},

cmd/syft/cli/options/java.go

@@ -1,6 +1,7 @@
 package options
 
 type java struct {
-	SearchMavenForLicenses bool   `yaml:"search-maven-for-licenses" json:"search-maven-for-licenses" mapstructure:"search-maven-for-licenses"`
-	MavenURL               string `yaml:"maven-url" json:"maven-url" mapstructure:"maven-url"`
+	SearchMavenForLicenses  bool   `yaml:"search-maven-for-licenses" json:"search-maven-for-licenses" mapstructure:"search-maven-for-licenses"`
+	MavenURL                string `yaml:"maven-url" json:"maven-url" mapstructure:"maven-url"`
+	MaxParentRecursiveDepth int    `yaml:"max-parent-recursive-depth" json:"max-parent-recursive-depth" mapstructure:"max-parent-recursive-depth"`
 }

syft/pkg/cataloger/config.go

@@ -38,5 +38,6 @@ func (c Config) JavaConfig() java.Config {
 		SearchUnindexedArchives: c.Search.IncludeUnindexedArchives,
 		SearchIndexedArchives:   c.Search.IncludeIndexedArchives,
 		SearchMavenForLicenses:  c.Java.SearchMavenForLicenses,
+		MaxParentRecursiveDepth: c.Java.MaxParentRecursiveDepth,
 	}
 }

syft/pkg/cataloger/java/archive_parser.go

@@ -287,7 +287,7 @@ func (j *archiveParser) guessMainPackageNameAndVersionFromPomInfo() (name, versi
 		version = pomProjectObject.Version
 	}
 	if pomProjectObject != nil && j.cfg.SearchMavenForLicenses {
-		findPomLicenses(pomProjectObject)
+		findPomLicenses(pomProjectObject, j.cfg.MaxParentRecursiveDepth)
 	}
 
 	if pomProjectObject != nil {
@@ -304,17 +304,17 @@ func artifactIDMatchesFilename(artifactID, fileName string) bool {
 	return strings.HasPrefix(artifactID, fileName) || strings.HasSuffix(fileName, artifactID)
 }
 
-func findPomLicenses(pomProjectObject *parsedPomProject) {
+func findPomLicenses(pomProjectObject *parsedPomProject, MaxParentRecursiveDepth int) {
 	// If we don't have any licenses until now, and if we have a parent Pom, then we'll check the parent pom in maven central for licenses.
 	if pomProjectObject != nil && pomProjectObject.Parent != nil && len(pomProjectObject.Licenses) == 0 {
-		parentPom, err := getPomFromMavenCentral(pomProjectObject.Parent.GroupID, pomProjectObject.Parent.ArtifactID, pomProjectObject.Parent.Version)
+		parentLicenses, err := recursivelyFindLicensesFromParentPom(pomProjectObject.Parent.GroupID, pomProjectObject.Parent.ArtifactID,
+			pomProjectObject.Parent.Version, MaxParentRecursiveDepth)
 		if err != nil {
 			// We don't want to abort here as the parent pom might not exist in Maven Central, we'll just log the error
 			log.Tracef("unable to get parent pom from Maven central: %v", err)
 			return
 		}
-		parentLicenses := parseLicensesFromPom(parentPom)
-		if len(parentLicenses) > 0 || parentPom == nil || parentPom.Parent == nil {
+		if len(parentLicenses) > 0 {
 			for _, licenseName := range parentLicenses {
 				pomProjectObject.Licenses = append(pomProjectObject.Licenses, pkg.NewLicenseFromFields(licenseName, "", nil))
 			}
@@ -336,6 +336,28 @@ func formatMavenPomURL(groupID, artifactID, version string) (requestURL string,
 	return requestURL, err
 }
 
+func recursivelyFindLicensesFromParentPom(groupId, artifactId, version string, MaxParentRecursiveDepth int) ([]string, error) {
+	var licenses []string
+	// As there can be nested parent poms, we'll recursively check for licenses until we reach the max depth
+	for i := 0; i < MaxParentRecursiveDepth; i++ {
+		parentPom, err := getPomFromMavenCentral(groupId, artifactId, version)
+		if err != nil {
+			return nil, err
+		}
+		parentLicenses := parseLicensesFromPom(parentPom)
+		if len(parentLicenses) > 0 || parentPom == nil || parentPom.Parent == nil {
+			licenses = parentLicenses
+			break
+		}
+
+		groupId = *parentPom.Parent.GroupID
+		artifactId = *parentPom.Parent.ArtifactID
+		version = *parentPom.Parent.Version
+	}
+
+	return licenses, nil
+}
+
 func getPomFromMavenCentral(groupID, artifactID, version string) (*gopom.Project, error) {
 	requestURL, err := formatMavenPomURL(groupID, artifactID, version)
 	if err != nil {

syft/pkg/cataloger/java/config.go

@@ -5,4 +5,5 @@ type Config struct {
 	SearchIndexedArchives   bool
 	SearchMavenForLicenses  bool
 	MavenBaseURL            string
+	MaxParentRecursiveDepth int
 }

syft/pkg/cataloger/java/options.go

@@ -3,8 +3,9 @@ package java
 const MavenBaseURL = "https://repo1.maven.org/maven2"
 
 type CatalogerOpts struct {
-	SearchMavenForLicenses bool
-	MavenURL               string
+	SearchMavenForLicenses  bool
+	MavenURL                string
+	MaxParentRecursiveDepth int
 }
 
 func (j CatalogerOpts) WithSearchMavenForLicenses(input bool) CatalogerOpts {
@@ -19,9 +20,17 @@ func (j CatalogerOpts) WithMavenCentralURL(input string) CatalogerOpts {
 	return j
 }
 
+func (j CatalogerOpts) WithMaxParentRecursiveDepth(input int) CatalogerOpts {
+	if input > 0 {
+		j.MaxParentRecursiveDepth = input
+	}
+	return j
+}
+
 func DefaultCatalogerOpts() CatalogerOpts {
 	return CatalogerOpts{
-		SearchMavenForLicenses: false,
-		MavenURL:               MavenBaseURL,
+		SearchMavenForLicenses:  false,
+		MavenURL:                MavenBaseURL,
+		MaxParentRecursiveDepth: 5,
 	}
 }