Look for a maven version in a pom from a parent dependency management section (#2423)

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
2025-11-17 16:33:21 +01:00 · 2023-12-14 18:15:14 +00:00 · 2023-12-14 18:15:14 +00:00 · 38a12bd91a
commit 38a12bd91a
parent 649d152548
2 changed files with 42 additions and 9 deletions
--- a/syft/pkg/cataloger/java/maven_repo_utils.go
+++ b/syft/pkg/cataloger/java/maven_repo_utils.go
@ -27,6 +27,33 @@ func formatMavenPomURL(groupID, artifactID, version, mavenBaseURL string) (reque
 	return requestURL, err
 }

+// An artifact can have its version defined in a parent's DependencyManagement section
+func recursivelyFindVersionFromParentPom(groupID, artifactID, parentGroupID, parentArtifactID, parentVersion string, cfg ArchiveCatalogerConfig) string {
+	// As there can be nested parent poms, we'll recursively check for the version until we reach the max depth
+	for i := 0; i < cfg.MaxParentRecursiveDepth; i++ {
+		parentPom, err := getPomFromMavenRepo(parentGroupID, parentArtifactID, parentVersion, cfg.MavenBaseURL)
+		if err != nil {
+			// We don't want to abort here as the parent pom might not exist in Maven Central, we'll just log the error
+			log.Tracef("unable to get parent pom from Maven central: %v", err)
+			break
+		}
+		if parentPom != nil && parentPom.DependencyManagement != nil {
+			for _, dependency := range *parentPom.DependencyManagement.Dependencies {
+				if groupID == *dependency.GroupID && artifactID == *dependency.ArtifactID && dependency.Version != nil {
+					return *dependency.Version
+				}
+			}
+		}
+		if parentPom == nil || parentPom.Parent == nil {
+			break
+		}
+		parentGroupID = *parentPom.Parent.GroupID
+		parentArtifactID = *parentPom.Parent.ArtifactID
+		parentVersion = *parentPom.Parent.Version
+	}
+	return ""
+}
+
 func recursivelyFindLicensesFromParentPom(groupID, artifactID, version string, cfg ArchiveCatalogerConfig) []string {
 	var licenses []string
 	// As there can be nested parent poms, we'll recursively check for licenses until we reach the max depth
--- a/syft/pkg/cataloger/java/parse_pom_xml.go
+++ b/syft/pkg/cataloger/java/parse_pom_xml.go
@ -111,16 +111,22 @@ func newPackageFromPom(pom gopom.Project, dep gopom.Dependency, cfg ArchiveCatal
 	version := resolveProperty(pom, dep.Version, "version")

 	licenses := make([]pkg.License, 0)
-	if version != "" && cfg.UseNetwork {
-		parentLicenses := recursivelyFindLicensesFromParentPom(
-			m.PomProperties.GroupID,
-			m.PomProperties.ArtifactID,
-			version,
-			cfg)
+	if cfg.UseNetwork {
+		if version == "" {
+			// If we have no version then let's try to get it from a parent pom DependencyManagement section
+			version = recursivelyFindVersionFromParentPom(*dep.GroupID, *dep.ArtifactID, *pom.Parent.GroupID, *pom.Parent.ArtifactID, *pom.Parent.Version, cfg)
+		}
+		if version != "" {
+			parentLicenses := recursivelyFindLicensesFromParentPom(
+				m.PomProperties.GroupID,
+				m.PomProperties.ArtifactID,
+				version,
+				cfg)

-		if len(parentLicenses) > 0 {
-			for _, licenseName := range parentLicenses {
-				licenses = append(licenses, pkg.NewLicenseFromFields(licenseName, "", nil))
+			if len(parentLicenses) > 0 {
+				for _, licenseName := range parentLicenses {
+					licenses = append(licenses, pkg.NewLicenseFromFields(licenseName, "", nil))
+				}
 			}
 		}
 	}