Support Maven multi-level configuration file / parent POM

[sekveaja]

What happened:
Running Grype to a local development directory.
Variable not interpreting correctly in multiple level configuration file.
See the following example with ${version.h2.database} variable,

$ grype ./My_project
:
guava 15.0 24.1.1 java-archive GHSA-mvr2-9pj6-7w5j Medium
guava 15.0 32.0.0 java-archive GHSA-7g45-4rm6-3mm3 Medium
h2 ${version.h2.database} java-archive CVE-2022-45868 High
h2 ${version.h2.database} 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical
h2 ${version.h2.database} 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High
:

What you expected to happen:
Every variable should be replaced with a value.

h2 1.4.200 java-archive CVE-2022-45868 High
h2 1.4.200 2.1.210 java-archive GHSA-45hx-wfhj-473x Critical
h2 1.4.200 2.2.220 java-archive GHSA-22wj-vf5f-wrvj High

How to reproduce it (as minimally and precisely as possible):

Propertie name and value is defined in top/parent level pom.xml

<properties>
     :
    <version.h2.database>1.4.200</version.h2.database>
     :
</properties>

Application level define their dependency in pom,xml using variable in Top level pom.xml

<dependencies>
             :
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <version>${version.h2.database}</version>
        <scope>test</scope>
    </dependency>
               :

Environment:

Application: grype
Version: 0.62.3
Syft Version: v0.83.0
BuildDate: 2023-06-06T00:36:27Z
GitCommit: 3865f4cc1dfcdcefbb7009400df153f24b18c772
GitDescription: v0.62.3
Platform: linux/amd64
GoVersion: go1.18.1
Compiler: gc
Supported DB Schema: 5

[kzantow]

Thanks for the report @sekveaja. I've moved this to the Syft repository, as this is where changes would be made for parent pom support. This is related to: #1813. Currently, Syft does not support reading external pom files (e.g. the parent pom), which is why you are seeing this behavior. We are definitely interested in enhancing maven support and have a number of ideas how to improve this.

[oxeye-daniel]

Hey team, any update on this one?

[nickolashkraus]

I am also interested in this feature. Here is a small example:

I have a multi-module project with a pom.xml and app/pom.xml:

.
├── app
│   └── pom.xml
└── pom.xml

The pom.xml defines the following:

<project>
    <properties>
        <some.dependency.version>x.y.z</some.dependency.version>
    </properties>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>my.dependency</groupId>
                <artifactId>some-dependency</artifactId>
                <version>${some.dependency.version}</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
</project>

The app/pom.xml defines the following:

<project>
    <parent>
        <relativePath>../pom.xml</relativePath>
    </parent>
    <dependencies>
        <dependency>
            <groupId>my.dependency</groupId>
            <artifactId>some-dependency</artifactId>
        </dependency>
    </dependencies>
</project>

Currently, Syft will not be able to resolve the version for the dependency specified in app/pom.xml, since it is set in the parent POM (pom.xml).

Related:

• Look for a maven version in a pom from a parent dependency management… #2423
• fix: check pom properties for version (#1251) #1278