fix check pom properties for version (anchore#1251)

Signed-off-by: Rob Tompkins <chtompki@apache.org>
chtompki · Oct 24, 2022 · 68e49bf · 68e49bf
1 parent d8c659b
commit 68e49bf
Show file tree

Hide file tree

Showing 3 changed files with 714 additions and 0 deletions.
diff --git a/syft/pkg/cataloger/java/parse_pom_xml.go b/syft/pkg/cataloger/java/parse_pom_xml.go
@@ -24,6 +24,10 @@ func parserPomXML(path string, content io.Reader) ([]*pkg.Package, []artifact.Re
 
 	var pkgs []*pkg.Package
 	for _, dep := range pom.Dependencies {
+		if strings.HasPrefix(dep.Version, "${") {
+			versionProperty := dep.Version[2 : len(dep.Version)-1]
+			dep.Version = pom.Properties.Entries[versionProperty]
+		}
 		p := newPackageFromPom(dep)
 		if p.Name == "" {
 			continue

diff --git a/syft/pkg/cataloger/java/parse_pom_xml_test.go b/syft/pkg/cataloger/java/parse_pom_xml_test.go
@@ -57,6 +57,141 @@ func Test_parserPomXML(t *testing.T) {
 	}
 }
 
+func Test_parseCommonsTextPomXMLProject(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected []*pkg.Package
+	}{
+		{
+			input: "test-fixtures/pom/commons-text.pom.xml",
+			expected: []*pkg.Package{
+				{
+					Name:         "commons-lang3",
+					Version:      "3.12.0",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.apache.commons/commons-lang3@3.12.0",
+					},
+				},
+				{
+					Name:         "junit-jupiter",
+					Version:      "",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.junit.jupiter/junit-jupiter",
+					},
+				},
+				{
+					Name:         "assertj-core",
+					Version:      "3.23.1",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.assertj/assertj-core@3.23.1",
+					},
+				},
+				{
+					Name:         "commons-io",
+					Version:      "2.11.0",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/commons-io/commons-io@2.11.0",
+					},
+				},
+				{
+					Name:         "mockito-inline",
+					Version:      "4.8.0",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.mockito/mockito-inline@4.8.0",
+					},
+				},
+				{
+					Name:         "js",
+					Version:      "22.0.0.2",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.graalvm.js/js@22.0.0.2",
+					},
+				},
+				{
+					Name:         "js-scriptengine",
+					Version:      "22.0.0.2",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.graalvm.js/js-scriptengine@22.0.0.2",
+					},
+				},
+				{
+					Name:         "commons-rng-simple",
+					Version:      "1.4",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.apache.commons/commons-rng-simple@1.4",
+					},
+				},
+				{
+					Name:         "jmh-core",
+					Version:      "1.35",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.openjdk.jmh/jmh-core@1.35",
+					},
+				},
+				{
+					Name:         "jmh-generator-annprocess",
+					Version:      "1.35",
+					FoundBy:      javaPomCataloger,
+					Language:     pkg.Java,
+					Type:         pkg.JavaPkg,
+					MetadataType: pkg.JavaMetadataType,
+					Metadata: pkg.JavaMetadata{
+						PURL: "pkg:maven/org.openjdk.jmh/jmh-generator-annprocess@1.35",
+					},
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.input, func(t *testing.T) {
+			fixture, err := os.Open(test.input)
+			assert.NoError(t, err)
+
+			actual, relationships, err := parserPomXML(fixture.Name(), fixture)
+			assert.NoError(t, err)
+			assert.Nil(t, relationships)
+			assert.Equal(t, test.expected, actual)
+		})
+	}
+}
+
 func Test_parsePomXMLProject(t *testing.T) {
 	tests := []struct {
 		expected pkg.PomProject