Skip to content

Fix/ Bug in Resolving Package Version in Maven POM with Dependency Management #487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
May 20, 2025
Merged

Fix/ Bug in Resolving Package Version in Maven POM with Dependency Management #487

merged 10 commits into from
May 20, 2025

Conversation

KunalSin9h
Copy link
Member

fixes #425

Screenshots:

For parent bom resolution

Screenshot from 2025-05-20 14-45-41

For simple pom.xml

image

Result of --resport-json

report.json

image

@KunalSin9h KunalSin9h requested a review from abhisek May 20, 2025 09:30
@KunalSin9h KunalSin9h marked this pull request as ready for review May 20, 2025 09:30
@KunalSin9h KunalSin9h changed the title Fix/maven pomxml Fix/ Bug in Resolving Package Version in Maven POM with Dependency Management May 20, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented May 20, 2025
edited
Loading

vet Summary Report

This report is generated by vet

Policy Checks

  • ✅ Vulnerability
  • ✅ Malware
  • ✅ License
  • ❌ Popularity
  • ❌ Maintenance
  • ✅ Security Posture
  • ✅ Threats

Malicious Package Analysis

Malicious package analysis was performed using SafeDep Cloud API

Malicious Package Analysis Report
Ecosystem Package Version Status Report
ECOSYSTEM_GO github.com/felixge/httpsnoop 1.0.4 🔗
ECOSYSTEM_GO github.com/gogo/protobuf 1.3.2 🔗
ECOSYSTEM_GO google.golang.org/genproto 0.0.0-20241202173237-19429a94021a 🔗
ECOSYSTEM_GO github.com/tidwall/pretty 1.2.1 🔗
ECOSYSTEM_GO github.com/tidwall/match 1.1.1 🔗
ECOSYSTEM_GO github.com/tidwall/gjson 1.18.0 🔗
ECOSYSTEM_GO github.com/golang/groupcache 0.0.0-20241129210726-2c02b8208cf8 🔗
ECOSYSTEM_GO go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 0.59.0 🔗
  • ℹ️ 8 packages have been actively analyzed for malicious behaviour.
  • ✅ No malicious packages found.

Note: Some of the package analysis jobs may still be running.Please check back later. Consider increasing the timeout for better coverage.

Changed Packages

Changed Packages

  • ✅ [Go] github.com/distribution/reference@0.6.0
  • ✅ [Go] github.com/docker/distribution@2.8.3+incompatible
  • ⚠️ [Go] github.com/tidwall/gjson@1.18.0
  • ⚠️ [Go] github.com/go-git/gcfg@1.5.1-0.20230307220236-3a3c6141e376
  • ⚠️ [Go] github.com/moby/locker@1.0.1
  • ⚠️ [Go] github.com/deitch/magic@0.0.0-20240306090643-c67ab88f10cb
  • ⚠️ [Go] github.com/secDre4mer/pkcs7@0.0.0-20240322103146-665324a4461d
  • ⚠️ [Go] github.com/containerd/typeurl/v2@2.1.1
  • ⚠️ [Go] github.com/edsrzf/mmap-go@1.1.0
  • ✅ [Go] github.com/containerd/ttrpc@1.2.7
  • ✅ [Go] github.com/AdaLogics/go-fuzz-headers@0.0.0-20230811130428-ced1acdcaa24
  • ✅ [Go] github.com/containerd/continuity@0.4.4
  • ✅ [Go] github.com/golang/groupcache@0.0.0-20241129210726-2c02b8208cf8
  • ✅ [Go] github.com/spdx/gordf@0.0.0-20221230105357-b735bd5aac89
  • ✅ [Go] github.com/moby/sys/signal@0.7.0
  • ✅ [Go] github.com/Microsoft/hcsshim@0.11.7
  • ⚠️ [Go] github.com/containerd/platforms@0.2.1
  • ✅ [Go] github.com/containerd/cgroups@1.1.0
  • ✅ [Go] google.golang.org/genproto@0.0.0-20241202173237-19429a94021a
  • ✅ [Go] deps.dev/util/maven@0.0.0-20250307021655-d811e36f9cad
  • ✅ [Go] github.com/opencontainers/image-spec@1.1.1
  • ✅ [Go] github.com/go-git/go-billy/v5@5.6.2
  • ⚠️ [Go] github.com/tidwall/jsonc@0.3.2
  • ⚠️ [Go] github.com/tidwall/pretty@1.2.1
  • ✅ [Go] github.com/go-git/go-git/v5@5.14.0
  • ✅ [Go] deps.dev/api/v3@3.0.0-20250307021655-d811e36f9cad
  • ⚠️ [Go] go.opencensus.io@0.24.0
  • ✅ [Go] github.com/moby/sys/sequential@0.5.0
  • ✅ [Go] go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@0.59.0
  • ⚠️ [Go] github.com/felixge/httpsnoop@1.0.4
  • ✅ [Go] github.com/containerd/stargz-snapshotter/estargz@0.16.3
  • ✅ [Go] deps.dev/util/pypi@0.0.0-20250307021655-d811e36f9cad
  • ✅ [Go] github.com/erikvarga/go-rpmdb@0.0.0-20240208180226-b97e041ef9af
  • ⚠️ [Go] github.com/AdamKorcz/go-118-fuzz-build@0.0.0-20230306123547-8075edf89bb0
  • ✅ [Go] github.com/groob/plist@0.1.1
  • ⚠️ [Go] github.com/docker/go-events@0.0.0-20190806004212-e31b211e4f1c
  • ✅ [Go] github.com/opencontainers/runtime-spec@1.1.0
  • ✅ [Go] github.com/rust-secure-code/go-rustaudit@0.0.0-20250226111315-e20ec32e963c
  • ✅ [Go] github.com/google/osv-scalibr@0.2.0
  • ✅ [Go] github.com/moby/sys/userns@0.1.0
  • ✅ [Go] github.com/jbenet/go-context@0.0.0-20150711004518-d14ea06fba99
  • ✅ [Go] github.com/containerd/containerd@1.7.27
  • ✅ [Go] go.etcd.io/bbolt@1.3.10
  • ✅ [Go] golang.org/x/xerrors@0.0.0-20231012003039-104605ab7028
  • ✅ [Go] www.velocidex.com/golang/regparser@0.0.0-20240404115756-2169ac0e3c09
  • ⚠️ [Go] github.com/tidwall/match@1.1.1
  • ✅ [Go] stdlib@1.24.2
  • ✅ [Go] github.com/moby/sys/user@0.3.0
  • ✅ [Go] deps.dev/util/resolve@0.0.0-20250310223405-f4cf91c9e684
  • ✅ [Go] gopkg.in/warnings.v0@0.1.2
  • ⚠️ [Go] github.com/vbatts/tar-split@0.11.6
  • ✅ [Go] deps.dev/util/semver@0.0.0-20250307021655-d811e36f9cad
  • ✅ [Go] github.com/opencontainers/selinux@1.11.0
  • ✅ [Go] github.com/containerd/containerd/api@1.8.0
  • ⚠️ [Go] github.com/saferwall/pe@1.5.6
  • ⚠️ [Go] github.com/containerd/fifo@1.1.0
  • ⚠️ [Go] github.com/gogo/protobuf@1.3.2
  • ⚠️ [Go] github.com/containerd/log@0.1.0
Policy Violations

Packages Violating Policy

[Go] github.com/tidwall/gjson@1.18.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/go-git/gcfg@1.5.1-0.20230307220236-3a3c6141e376 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/moby/locker@1.0.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/deitch/magic@0.0.0-20240306090643-c67ab88f10cb 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/secDre4mer/pkcs7@0.0.0-20240322103146-665324a4461d 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/containerd/typeurl/v2@2.1.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/edsrzf/mmap-go@1.1.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/containerd/platforms@0.2.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/tidwall/jsonc@0.3.2 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/tidwall/pretty@1.2.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] go.opencensus.io@0.24.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/felixge/httpsnoop@1.0.4 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/AdamKorcz/go-118-fuzz-build@0.0.0-20230306123547-8075edf89bb0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/docker/go-events@0.0.0-20190806004212-e31b211e4f1c 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/tidwall/match@1.1.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/vbatts/tar-split@0.11.6 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/saferwall/pe@1.5.6 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/containerd/fifo@1.1.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/gogo/protobuf@1.3.2 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/containerd/log@0.1.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

@codecov Codecov
Copy link

codecov bot commented May 20, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 68.11594% with 22 lines in your changes missing coverage. Please review.

Project coverage is 16.23%. Comparing base (5c7ab43) to head (ea4309a).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
pkg/parser/pomxml.go 74.46% 9 Missing and 3 partials ⚠️
pkg/parser/scalibr.go 54.54% 9 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #487      +/-   ##
==========================================
+ Coverage   16.01%   16.23%   +0.22%     
==========================================
  Files         158      160       +2     
  Lines       15955    16024      +69     
==========================================
+ Hits         2555     2602      +47     
- Misses      13200    13218      +18     
- Partials      200      204       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

abhisek
abhisek reviewed May 20, 2025
View reviewed changes
abhisek
abhisek reviewed May 20, 2025
View reviewed changes
abhisek
abhisek reviewed May 20, 2025
View reviewed changes
@abhisek abhisek merged commit 826b8ea into main May 20, 2025
10 of 11 checks passed
@abhisek abhisek deleted the fix/maven-pomxml branch May 20, 2025 12:40
@abhisek abhisek mentioned this pull request May 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhisek abhisek abhisek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix Bug in Resolving Package Version in Maven POM with Dependency Management
2 participants
@KunalSin9h @abhisek