DependencyManagement ignored in pom.xml

[cjnosal]

What happened:
Ran a directory scan containing an effective-pom on a spring boot project. Only 4 results (from the top-level <dependencies>) were returned.

What you expected to happen:
All dependencies at the root level and transitive dependencies nested in <dependencyManagement> to be present in syft output

Steps to reproduce the issue:

git clone https://github.com/sample-accelerators/tanzu-java-web-app
cd tanzu-java-web-app
./mvnw help:effective-pom -Doutput results/pom.xml
syft dir:results

Anything else we need to know?:

Environment:

• Output of syft version: 0.75.0
• OS (e.g: cat /etc/os-release or similar): ubuntu 20.04.6

[cjnosal]

For reference:
https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/parse_pom_xml.go#L31
https://github.com/vifraa/gopom/blob/main/gopom.go#L221

[tgerla]

Hi @xtreme-conor-nosal, thanks for filing the issue, we will go ahead and put this in the backlog for a fix when we are able.

[kzantow]

Developer notes: there are 2 main issues here:

1. Syft does not download additional pom.xml information (e.g. parent POMs, transitive dependency POMs)
2. Syft does not honor the dependencyManagement section

Within the same POM, Syft should still honor dependencyManagement, which essentially are dependency groupId, artifactId, and version, where if a dependency appears in the dependency section without a version, it should be inferred from the dependencyManagement section.