oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: return empty string if dereferncing pom var fails (#2797)

Browse Source 
Previously, Syft would attempt to dereference pom variables, but if it
detected a cycle or failed to get back to a non-variable value, it would
return the last variable. Instead, return an empty string. Otherwise,
certain jars will have versions like "${project.version}" in the SBOM,
which is not helpful.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
This commit is contained in:
William Murphy 2024-04-19 15:38:36 -04:00 committed by GitHub
parent f2633800ce
commit 6440f26b5a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
syft/pkg/cataloger/java/parse_pom_xml.go
View File

@ -236,7 +236,11 @@ func resolveProperty(pom gopom.Project, property *string, propertyName string) s
seenBeforePropertyNames := map[string]struct{}{ seenBeforePropertyNames := map[string]struct{}{
propertyName: {}, propertyName: {},
} }
return recursiveResolveProperty(pom, propertyCase, seenBeforePropertyNames) result := recursiveResolveProperty(pom, propertyCase, seenBeforePropertyNames)
if propertyMatcher.MatchString(result) {
return "" // dereferencing variable failed; fall back to empty string
}
return result
} }
//nolint:gocognit //nolint:gocognit

19
syft/pkg/cataloger/java/parse_pom_xml_test.go
View File

@ -502,7 +502,7 @@ func Test_resolveProperty(t *testing.T) {
pom: gopom.Project{ pom: gopom.Project{
Parent: nil, Parent: nil,
}, },
expected: "${project.parent.groupId}", expected: "",
}, },
{ {
name: "nil string pointer halts search", name: "nil string pointer halts search",
@ -512,7 +512,7 @@ func Test_resolveProperty(t *testing.T) {
GroupID: nil, GroupID: nil,
}, },
}, },
expected: "${project.parent.groupId}", expected: "",
}, },
{ {
name: "double dereference", name: "double dereference",
@ -537,7 +537,7 @@ func Test_resolveProperty(t *testing.T) {
Version: stringPointer("1.2.3"), Version: stringPointer("1.2.3"),
}, },
}, },
expected: "${springboot.version}", expected: "",
}, },
{ {
name: "resolution halts even if it resolves to a variable", name: "resolution halts even if it resolves to a variable",
@ -552,7 +552,7 @@ func Test_resolveProperty(t *testing.T) {
}, },
}, },
}, },
expected: "${undefined.version}", expected: "",
}, },
{ {
name: "resolution halts even if cyclic", name: "resolution halts even if cyclic",
@ -564,7 +564,7 @@ func Test_resolveProperty(t *testing.T) {
}, },
}, },
}, },
expected: "${springboot.version}", expected: "",
}, },
{ {
name: "resolution halts even if cyclic more steps", name: "resolution halts even if cyclic more steps",
@ -578,21 +578,24 @@ func Test_resolveProperty(t *testing.T) {
}, },
}, },
}, },
expected: "${cyclic.version}", expected: "",
}, },
{ {
name: "resolution halts even if cyclic involving parent", name: "resolution halts even if cyclic involving parent",
property: "${cyclic.version}", property: "${cyclic.version}",
pom: gopom.Project{ pom: gopom.Project{
Parent: &gopom.Parent{
Version: stringPointer("${cyclic.version}"),
},
Properties: &gopom.Properties{ Properties: &gopom.Properties{
Entries: map[string]string{ Entries: map[string]string{
"other.version": "${cyclic.version}", "other.version": "${parent.version}",
"springboot.version": "${other.version}", "springboot.version": "${other.version}",
"cyclic.version": "${springboot.version}", "cyclic.version": "${springboot.version}",
}, },
}, },
}, },
expected: "${cyclic.version}", expected: "",
}, },
} }