Maven standard dependencies should take precedence over managed depen…

…dencies (#1000)

Managed dependencies are not real dependencies so they should not take
precedence over standard dependencies.

Dependency management is used to control the versions of artifacts used
in transitive dependencies.
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management

Also, version requirements in managed dependencies are only referred
when the requirement is not defined for that dependency in standard
dependencies section.

pkg/lockfile/parse-maven-lock.go

@@ -121,9 +121,8 @@ func (e MavenLockExtractor) Extract(f DepFile) ([]PackageDetails, error) {
 
 	details := map[string]PackageDetails{}
 
-	for _, lockPackage := range parsedLockfile.Dependencies {
+	for _, lockPackage := range parsedLockfile.ManagedDependencies {
 		finalName := lockPackage.GroupID + ":" + lockPackage.ArtifactID
-
 		pkgDetails := PackageDetails{
 			Name:      finalName,
 			Version:   lockPackage.ResolveVersion(*parsedLockfile),
@@ -137,9 +136,10 @@ func (e MavenLockExtractor) Extract(f DepFile) ([]PackageDetails, error) {
 		details[finalName] = pkgDetails
 	}
 
-	// managed dependencies take precedent over standard dependencies
-	for _, lockPackage := range parsedLockfile.ManagedDependencies {
+	// standard dependencies take precedent over managed dependencies
+	for _, lockPackage := range parsedLockfile.Dependencies {
 		finalName := lockPackage.GroupID + ":" + lockPackage.ArtifactID
+
 		pkgDetails := PackageDetails{
 			Name:      finalName,
 			Version:   lockPackage.ResolveVersion(*parsedLockfile),

pkg/lockfile/parse-maven-lock_test.go

@@ -154,7 +154,7 @@ func TestParseMavenLock_WithDependencyManagement(t *testing.T) {
 	expectPackages(t, packages, []lockfile.PackageDetails{
 		{
 			Name:      "io.netty:netty-all",
-			Version:   "4.1.42.Final",
+			Version:   "4.1.9",
 			Ecosystem: lockfile.MavenEcosystem,
 			CompareAs: lockfile.MavenEcosystem,
 		},