Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix some Maven manifest & resolver issues #1008

Merged
merged 3 commits into from
Jun 4, 2024
Merged

Fix some Maven manifest & resolver issues #1008

merged 3 commits into from
Jun 4, 2024

Conversation

michaelkedar
Copy link
Member

Some fixes for a few Maven resolver issues I've come across:

  1. Requirement origins weren't being tracked correctly if a package key was set by a property. Fixed by checking dependency keys before and after interpolation, and updating the map if they changed. (I've modified one of the tests to check for this case)
  2. To work around the resolver not resolving test or optional dependencies, made it so the pom.xml parser removes the test scope and optional flags.
  3. resolve.PackageKey was not sufficient to uniquely key the requirements for the Groups map in the Manifest. Made a new RequirementKey type with ecosystem-specific information for both npm and maven to solve this.

@codecov-commenter
Copy link

codecov-commenter commented May 30, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 83.17757% with 18 lines in your changes missing coverage. Please review.

Project coverage is 65.16%. Comparing base (f2a30a8) to head (edc44a7).

Files Patch % Lines
internal/resolution/manifest/maven.go 80.55% 10 Missing and 4 partials ⚠️
internal/resolution/manifest/manifest.go 63.63% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1008      +/-   ##
==========================================
+ Coverage   65.04%   65.16%   +0.12%     
==========================================
  Files         149      149              
  Lines       12252    12338      +86     
==========================================
+ Hits         7969     8040      +71     
- Misses       3835     3847      +12     
- Partials      448      451       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cuixq
cuixq approved these changes May 31, 2024
View reviewed changes
internal/remediation/suggest/maven_test.go Outdated Show resolved Hide resolved
internal/resolution/manifest/maven.go

newKeys := allKeys()
if len(prevKeys) != len(newKeys) {
return errors.New("number of dependencies changed after interpolation")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the number of dependencies may get changed after interpolation if we are not able to resolve any placeholder, but this should be very rare...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's kind of hard to know which dependencies are which in those cases, so I'll leave it as an error for now.

Added a comment here.

internal/resolution/manifest/maven.go
@@ -238,6 +309,12 @@ func (m MavenManifestIO) MergeParents(ctx context.Context, result *maven.Project
// - identifier to locate the profile/plugin which is profile ID or plugin name
// - (optional) suffix indicates if this is a dependency management
func makeRequirementVersion(dep maven.Dependency, origin string) resolve.RequirementVersion {
// Treat test & optional dependencies as regular dependencies to force the resolver to resolve them.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be fine for now, but we may "fix" the resolver to handle test and optional dependencies if it is not that much work, and this would benefit transitive support when scanning pom.xml.

@michaelkedar michaelkedar merged commit b1b8bfa into google:main Jun 4, 2024
12 of 13 checks passed
josieang pushed a commit to josieang/osv-scanner that referenced this pull request Jun 6, 2024
@michaelkedar @josieang
Fix some Maven manifest & resolver issues (google#1008)
291f4cb 
Some fixes for a few Maven resolver issues I've come across:
1. Requirement origins weren't being tracked correctly if a package key
was set by a property. Fixed by checking dependency keys before and
after interpolation, and updating the map if they changed. (I've
modified one of the tests to check for this case)
2. To work around the resolver not resolving test or optional
dependencies, made it so the pom.xml parser removes the test scope and
optional flags.
3. `resolve.PackageKey` was not sufficient to uniquely key the
requirements for the `Groups` map in the `Manifest`. Made a new
`RequirementKey` type with ecosystem-specific information for both npm
and maven to solve this.
@michaelkedar michaelkedar mentioned this pull request Jul 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cuixq cuixq cuixq approved these changes

@oliverchang oliverchang Awaiting requested review from oliverchang

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@michaelkedar @codecov-commenter @cuixq