Maven - enable dependencies resolution from Artifactory server in sca…

…n-repository (#623)

go.mod

@@ -119,7 +119,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240124134548-78e293fce02b
+replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240125091912-57672070a76e
 
 replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security v0.0.0-20240124152653-e1bbae3aca97
 

go.sum

@@ -886,8 +886,8 @@ github.com/jfrog/gofrog v1.5.1 h1:2AXL8hHu1jJFMIoCqTp2OyRUfEqEp4nC7J8fwn6KtwE=
 github.com/jfrog/gofrog v1.5.1/go.mod h1:SZ1EPJUruxrVGndOzHd+LTiwWYKMlHqhKD+eu+v5Hqg=
 github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
 github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
-github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240124134548-78e293fce02b h1:dUZOuqsa/3jLZ01B1xJeh2vTHchW7O+MbWn+VEp/Qj4=
-github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240124134548-78e293fce02b/go.mod h1:RVn4pIkR5fPUnr8gFXt61ou3pCNrrDdRQUpcolP4lhw=
+github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240125091912-57672070a76e h1:lANOnwX+W1KDQvMvvluYTlNOOSx9y1wbhix4P1gvfrM=
+github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240125091912-57672070a76e/go.mod h1:RVn4pIkR5fPUnr8gFXt61ou3pCNrrDdRQUpcolP4lhw=
 github.com/jfrog/jfrog-cli-security v0.0.0-20240124152653-e1bbae3aca97 h1:GQ3Wpd6azcHqYoiAEUegKxjpND9Y1iRlqk+b1YnYItk=
 github.com/jfrog/jfrog-cli-security v0.0.0-20240124152653-e1bbae3aca97/go.mod h1:UyNpvcVQcQSdtzcg6WvUgDd85IztuwzJTFebULWg260=
 github.com/jfrog/jfrog-client-go v1.36.0 h1:iODLDjYSlK7rLH8/lEmAFHwYsboeBfaqxXybz6waraE=

packagehandlers/mavenpackagehandler.go

@@ -152,16 +152,30 @@ type MavenPackageHandler struct {
 	*java.MavenDepTreeManager
 }
 
-func (mph *MavenPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) error {
-	if err := mph.getProjectPoms(); err != nil {
+func (mph *MavenPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) (err error) {
+	// When resolution from an Artifactory server is necessary, a settings.xml file will be generated, and its path will be set in mph.
+	if mph.GetDepsRepo() != "" {
+		var clearMavenDepTreeRun func() error
+		_, clearMavenDepTreeRun, err = mph.CreateTempDirWithSettingsXmlIfNeeded()
+		if err != nil {
+			return
+		}
+		defer func() {
+			err = errors.Join(err, clearMavenDepTreeRun())
+		}()
+	}
+
+	err = mph.getProjectPoms()
+	if err != nil {
 		return err
 	}
+
 	// Get direct dependencies for each pom.xml file
 	if mph.pomDependencies == nil {
 		mph.pomDependencies = make(map[string]pomDependencyDetails)
 	}
 	for _, pp := range mph.pomPaths {
-		if err := mph.fillDependenciesMap(pp.PomPath); err != nil {
+		if err = mph.fillDependenciesMap(pp.PomPath); err != nil {
 			return err
 		}
 	}
@@ -184,16 +198,28 @@ func (mph *MavenPackageHandler) UpdateDependency(vulnDetails *utils.Vulnerabilit
 	return mph.updatePackageVersion(vulnDetails.ImpactedDependencyName, vulnDetails.SuggestedFixedVersion, depDetails.foundInDependencyManagement)
 }
 
+// Returns project's Pom paths. This function requires an execution of maven-dep-tree 'project' command prior to its execution
 func (mph *MavenPackageHandler) getProjectPoms() (err error) {
 	// Check if we already scanned the project pom.xml locations
 	if len(mph.pomPaths) > 0 {
 		return
 	}
+
+	oldSettingsXmlPath := mph.GetSettingsXmlPath()
+
 	var depTreeOutput string
-	if depTreeOutput, err = mph.RunMavenDepTree(); err != nil {
+	var clearMavenDepTreeRun func() error
+	if depTreeOutput, clearMavenDepTreeRun, err = mph.RunMavenDepTree(); err != nil {
 		err = fmt.Errorf("failed to get project poms while running maven-dep-tree: %s", err.Error())
+		if clearMavenDepTreeRun != nil {
+			err = errors.Join(err, clearMavenDepTreeRun())
+		}
 		return
 	}
+	defer func() {
+		err = clearMavenDepTreeRun()
+		mph.SetSettingsXmlPath(oldSettingsXmlPath)
+	}()
 
 	for _, jsonContent := range strings.Split(depTreeOutput, "\n") {
 		if jsonContent == "" {

packagehandlers/packagehandlers_test.go

@@ -521,6 +521,7 @@ func TestGetProjectPoms(t *testing.T) {
 	defer func() {
 		assert.NoError(t, os.Chdir(currDir))
 	}()
+
 	assert.NoError(t, mvnHandler.getProjectPoms())
 	assert.Len(t, mvnHandler.pomPaths, 2)
 }