Skip to content

Use LatestRelease for BOM version filtering in upgrade search#6908

Merged
timtebeek merged 7 commits intomainfrom
Jenson3210/fix-bom-upgrade-unavailable-version
Mar 11, 2026
Merged

Use LatestRelease for BOM version filtering in upgrade search#6908
timtebeek merged 7 commits intomainfrom
Jenson3210/fix-bom-upgrade-unavailable-version

Conversation

@Jenson3210
Copy link
Contributor

@Jenson3210 Jenson3210 commented Mar 10, 2026
edited by timtebeek
Loading

Summary

  • Fix BOM upgrade search to use LatestRelease for filtering BOM versions instead of the dependency's version comparator
  • Add defensive try/catch for BOM POM downloads that may be listed in metadata but not available

Problem

When UpgradeDependencyVersion upgrades a dependency managed by a BOM, it first attempts to find a newer BOM version that manages the dependency at the target version. The BOM version search used the dependency's versionComparator to filter candidate BOM versions.

This fails when the BOM uses a different versioning scheme than the dependency. For example, jackson-bom uses versions like 2.13.4.20221013 while jackson-databind uses 2.13.4.2. With ExactVersion("2.13.4.2"), the filter rejects 2.13.4.20221013 because it doesn't match exactly, so the BOM upgrade silently fails.

The recipe then falls through to upgrade the dependency individually. If the version is managed through a shared property with the BOM import (e.g., ${jackson.version}), changing the property also changes the BOM to a non-existent version, producing "Unable to download POM" errors.

Solution

Use LatestRelease to filter BOM versions instead of the dependency's versionComparator. This accepts any valid release version newer than the current BOM version. The actual matching (does this BOM manage the target dependency at the target version?) is already handled by the iteration loop in findNewerBomVersionWithDependency.

Test plan

  • New test upgradeBomWhenBomVersioningDiffersFromDependency verifies jackson-bom upgrade from 2.13.4 to 2.13.4.20221013 when upgrading jackson-databind to 2.13.4.2

  • Test fails without the fix (adds explicit version instead of upgrading BOM)

  • Existing BOM upgrade tests pass (upgradeBomInsteadOfOverridingDependency, bomUpgradeSkipsSnapshotVersions)

  • Full UpgradeDependencyVersionTest suite passes

  • Fixes moderneinc/customer-requests#1968

@github-project-automation github-project-automation bot moved this to In Progress in OpenRewrite Mar 10, 2026
@Jenson3210 Jenson3210 changed the title Don't change shared property when upgrading dependency managed by BOM Skip unavailable BOM versions during BOM upgrade search Mar 10, 2026
@Jenson3210 Jenson3210 marked this pull request as draft March 10, 2026 14:23
@Jenson3210 Jenson3210 changed the title Skip unavailable BOM versions during BOM upgrade search Use LatestRelease for BOM version filtering in upgrade search Mar 10, 2026
@Jenson3210 Jenson3210 force-pushed the Jenson3210/fix-bom-upgrade-unavailable-version branch from b496e2c to 133b260 Compare March 10, 2026 19:31
@Jenson3210
Skip unavailable BOM versions during BOM upgrade search
f533bfa 
When UpgradeDependencyVersion attempts to upgrade a BOM to find a version
that manages a dependency at a target version, it iterates over available
BOM versions from metadata and downloads each POM to check. If a BOM
version is listed in metadata but its POM is unavailable (404), the
MavenDownloadingException would propagate up and add spurious error markers
to the document.

This is the case for jackson-databind CVE patches: jackson-databind has
versions 2.13.4.1 and 2.13.4.2, but jackson-bom does not have matching
patch versions. When the metadata lists a non-existent BOM version, the
download failure now gets caught inside the search loop and the next
candidate version is tried instead.
@Jenson3210
Simplify test to use real jackson artifacts, add mock for error path
9fa88d8 
Replace complex mock test with a simple test using real jackson-bom and
jackson-databind artifacts from Maven Central. Add a focused mock test
for the specific error path where a BOM version appears in metadata but
its POM is unavailable.
@Jenson3210
Don't change shared property when upgrading dependency version with BOM
f93dd99 
When a dependency and its BOM import share the same version property
(e.g. ${jackson.version}), upgrading the dependency version would change
the property value globally, also pointing the BOM at the new version.
If the BOM doesn't publish a matching version (e.g. jackson-databind has
2.13.4.2 for a CVE fix but jackson-bom does not), this causes an
"Unable to download POM" error.

Now when the dependency version is a property that's also used by the
BOM import, the recipe replaces the property reference on the dependency
with the literal new version instead of changing the shared property.
Also catch MavenDownloadingException in the BOM version search loop so
that unavailable BOM POMs are skipped gracefully.
@Jenson3210
Remove shared property fix, keep only defensive BOM download handling
f32c8c7
@Jenson3210
Use LatestRelease for BOM version filtering in upgrade search
b914f85 
The BOM upgrade search in getAvailableBomVersions was using the
dependency's version comparator to filter BOM versions. When the
BOM uses a different versioning scheme than the dependency (e.g.,
jackson-bom uses 2.13.4.20221013 while jackson-databind uses
2.13.4.2), ExactVersion would reject valid BOM versions because
they don't match the dependency version string exactly.

This caused the BOM upgrade to fail silently, falling through to
upgrade the dependency individually. If the dependency version was
managed through a shared property with the BOM import, changing
the property would also change the BOM to a non-existent version,
producing "Unable to download POM" errors.

Now uses LatestRelease to filter BOM versions, which accepts any
valid release version newer than the current BOM version. The
actual matching (does this BOM manage the target dependency at
the target version?) is already handled in the iteration loop.

Fixes moderneinc/customer-requests#1968
@Jenson3210 Jenson3210 force-pushed the Jenson3210/fix-bom-upgrade-unavailable-version branch from 133b260 to b914f85 Compare March 11, 2026 07:55
@Jenson3210
Remove unnecessary try/catch around BOM download
a912d5b 
The defensive try/catch is no longer needed now that the root cause
is fixed — BOM versions are filtered correctly with LatestRelease.
@Jenson3210
Remove explanatory comment
4c7c8ea
@Jenson3210 Jenson3210 requested a review from timtebeek March 11, 2026 08:08
@Jenson3210 Jenson3210 marked this pull request as ready for review March 11, 2026 08:08
timtebeek
timtebeek approved these changes Mar 11, 2026
View reviewed changes
Copy link
Member

@timtebeek timtebeek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working out & explaining this scenario!

@github-project-automation github-project-automation bot moved this from In Progress to Ready to Review in OpenRewrite Mar 11, 2026
@timtebeek timtebeek merged commit 3535f7d into main Mar 11, 2026
2 checks passed
@timtebeek timtebeek deleted the Jenson3210/fix-bom-upgrade-unavailable-version branch March 11, 2026 17:22
@github-project-automation github-project-automation bot moved this from Ready to Review to Done in OpenRewrite Mar 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timtebeek timtebeek timtebeek approved these changes

Assignees

@Jenson3210 Jenson3210

Labels

None yet

Projects

OpenRewrite
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jenson3210 @timtebeek